Detect Defender exclusions rules and ASR rules

itm4n / PrivescCheck

Privilege Escalation Enumeration Script for Windows

BSD 3-Clause "New" or "Revised" License

2.91k stars 422 forks source link

Detect Defender exclusions rules and ASR rules #59

Closed nodauf closed 3 months ago

nodauf commented 3 months ago

From this tweet it is possible to enumerate Windows Defender's exclusions by listing the event ID 5007. For example, whitelisting cmd.exe generates the following event The tool https://github.com/0xsp-SRD/MDE_Enum already implement this finding and also enumerates the event ID 1121 to retrieve the ASR rules that have matched.

itm4n commented 3 months ago

Good idea! Will see what I can do. :slightly_smiling_face:

itm4n commented 3 months ago

Added with commit 2a163c36e68ee61ae082d412a9b5039625e5daa0 (exclusions only, see issue #57 for ASR rules).