Adversaries may use PowerShell to create an exclusion path in the ProgramData directory to evade Microsoft Defender monitoring. SOC teams should proactively hunt for this behavior as it indicates potential evasion tactics aimed at hiding malicious activity from detection.
KQL Query
DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_all("try", "Add-MpPreference", "-ExclusionPath", "ProgramData", "catch")
id: bd6e909c-dfb1-4f8f-a94a-14d417bbe87b
name: PowerShell adding exclusion path for Microsoft Defender of ProgramData
description: |
Identify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Defense Evasion
query: |
DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_all("try", "Add-MpPreference", "-ExclusionPath", "ProgramData", "catch")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Update or Patching Tool (e.g., Windows Update, Microsoft Update)
Description: A legitimate system update process may create or modify files in the ProgramData directory as part of its installation or configuration.
Filter/Exclusion: Exclude paths containing WindowsUpdate or MicrosoftUpdate in the file or directory name.
Scenario: Scheduled Task for Configuration Management (e.g., SCCM, Ansible, Puppet)
Description: A configuration management tool may deploy scripts or configurations to the ProgramData directory as part of its routine operations.
Filter/Exclusion: Exclude paths that match the known configuration management tool directories (e.g., SCCM, Ansible, Puppet).
Scenario: Admin Task for Microsoft Defender Configuration (e.g., Set-MpPreference via PowerShell)
Description: An administrator may manually configure Microsoft Defender exclusions using PowerShell, which could involve modifying the ProgramData directory.
Filter/Exclusion: Exclude PowerShell scripts or processes initiated by the Administrators group or those containing Set-MpPreference.
Scenario: Third-Party Application Storing Configuration in ProgramData
Description: Some enterprise applications store configuration files or caches in the ProgramData directory, which may be misinterpreted as a Defender exclusion attempt.
Filter/Exclusion: Exclude paths that match known third-party application directories (e.g., Cisco, VMware, Dell, Microsoft SQL Server).
Scenario: Malware Analysis or Sandbox Environment
Description: In a sandbox or malware analysis environment, PowerShell scripts may be used to configure Defender exclusions as part of testing or analysis.
Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., Cuckoo, Joe Sandbox, or `W