Detect Defender exclusions rules and ASR rules

Question

Detect Defender exclusions rules and ASR rules

Closed this issue 7 months ago · 2 comments

From this tweet it is possible to enumerate Windows Defender's exclusions by listing the event ID 5007.
For example, whitelisting cmd.exe generates the following event

The tool https://github.com/0xsp-SRD/MDE_Enum already implement this finding and also enumerates the event ID 1121 to retrieve the ASR rules that have matched.

Answer 1 · 2024-06-10T15:41:51.000Z

Good idea! Will see what I can do. 🙂

Answer 2 · 2024-06-10T20:42:36.000Z

Added with commit 2a163c3 (exclusions only, see issue #57 for ASR rules).