Malware is leveraging Windows Defender exclusions to hide its presence and evade detection by security tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate stealthy malware that bypasses standard endpoint protections.
KQL Query
DeviceRegistryEvents
| where ((ActionType == "RegistryValueSet") and (RegistryKey startswith @"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"))
id: 625dce50-2fec-4f49-be92-ad4cab98b313
name: MosaicLoader
description: |
This hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceRegistryEvents
tactics:
- Command and control
query: |
DeviceRegistryEvents
| where ((ActionType == "RegistryValueSet") and (RegistryKey startswith @"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"))
| Sentinel Table | Notes |
|---|---|
DeviceRegistryEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that temporarily adds a folder to Windows Defender exclusions to perform system updates or maintenance.
Filter/Exclusion: Check for tasks associated with Task Scheduler and use the TaskName field to exclude known maintenance tasks like Microsoft AntiSpyware or Windows Update.
Scenario: Antivirus Exclusion for Third-Party Tools
Description: A security tool like Malwarebytes or Bitdefender is installed and adds its own directory to Windows Defender exclusions to avoid conflicts.
Filter/Exclusion: Use the FolderPath field to exclude known directories of security software (e.g., C:\Program Files\Bitdefender or C:\Program Files\Malwarebytes).
Scenario: Admin Task to Exclude Temp Files
Description: An administrator manually adds a temporary directory (e.g., C:\Windows\Temp) to Windows Defender exclusions to prevent false positives during file operations.
Filter/Exclusion: Filter by FolderPath to exclude standard temporary directories or use a regex pattern for common temp paths.
Scenario: PowerShell Script for Log Analysis
Description: A legitimate PowerShell script runs under an admin account and adds a script directory to Windows Defender exclusions to avoid scanning during execution.
Filter/Exclusion: Use the ProcessName field to exclude known PowerShell processes or filter by User to exclude admin accounts if the script is known to be safe.
Scenario: Software Deployment via Group Policy
Description: A software deployment tool (e.g., Microsoft Endpoint Configuration Manager) adds a deployment directory to Windows Defender exclusions to prevent interference during installation.
Filter/Exclusion: Filter by FolderPath to exclude known deployment directories or use the ProcessName