"##av exclusions : - powershell ( set - mppreference / add - mppreference ) - wmi ( msft _ mppreference class ) - group policy ( gpo ) - direct registry modification when someone sets an exclusion via powershell, the call execution goes through the msft _ mppreference wmi class. t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1112Modify Registry
64%
"byte ] 10 ) ; force = $ true } gpo : computer configuration - > administrative templates - > windows components - > microsoft defender antivirus - > exclusions direct registry modification : due to mdav locking down the ability to directly write to the key _ local _ machine \ sof…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1564.001Hidden Files and Directories
52%
"what the huntress windows edr team has implemented : telemetry : - collect telemetry on exclusions being set via registry operations. we wanted to do this because no matter how someone sets an exclusion, it needs to be set in the registry. this allows us to see if someone sets th…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1562.001
46%
"##av exclusions : - powershell ( set - mppreference / add - mppreference ) - wmi ( msft _ mppreference class ) - group policy ( gpo ) - direct registry modification when someone sets an exclusion via powershell, the call execution goes through the msft _ mppreference wmi class. t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1685Disable or Modify Tools
44%
"you can run, but you can ’ t hide : defender exclusions | huntress the endpoint team at huntress is focused on providing telemetry and protections around real adversary threats. one thing we ' ve noticed that ' s often overlooked is adversaries leveraging microsoft defender antiv…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
36%
"you can run, but you can ’ t hide : defender exclusions | huntress the endpoint team at huntress is focused on providing telemetry and protections around real adversary threats. one thing we ' ve noticed that ' s often overlooked is adversaries leveraging microsoft defender antiv…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1564.012File/Path Exclusions
31%
"##e modifies. however, whenever someone tries to query the defender exclusions, it will query the exclusions set by gpo and mdav. figure 1 shows a procmon result while running ( get - mppreference ). exclusionpath in powershell. now that we understand mdav exclusions a little bit…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Understand Windows Defender AntiVirus exclusions and how adversaries might leverage this capability to bypass scans.