All links of one day
in a single page.
<Previous day - Next day>

rss_feedDaily RSS Feed
floral_left The Daily Shaarli floral_right
——————————— August 12, 2025 - Tuesday 12, August 2025 ———————————
permalink
Tue Aug 12 12:45:27 2025
powershell - defender - evasion - evade -
Abusing Exclusions To Evade Detection | Dazzy Ddos 
function Get-DefenderExclusions {
    param (
        [string]$logName = "Microsoft-Windows-Windows Defender/Operational",
        [int]$eventID = 5007,
        [switch]$Path,
        [switch]$Process,
        [switch]$Extension
    )

    if (-not ($Path -or $Process -or $Extension)) {
        Write-Host "Please specify at least one type of exclusion to filter: -Path, -Process, -Extension."
        return
    }

    # Get all event logs with the specified Event ID
    $events = Get-WinEvent -LogName $logName -FilterXPath "*[System[(EventID=$eventID)]]" -ErrorAction SilentlyContinue

    if (-not $events) {
        Write-Host "No events found with Event ID $eventID in the $logName log."
        return
    }

    # Define the regex patterns for exclusion paths, extensions, and processes
    $patterns = @{
        Path = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\([^`"]+)"
        Extension = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\([^`"]+)"
        Process = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\([^`"]+)"
    }

    # Function to parse and return unique exclusions
    function Get-UniqueExclusions {
        param (
            [string]$pattern,
            [string]$exclusionType
        )

        $uniqueExclusions = @{}
        foreach ($event in $events) {
            $message = $event.Message
            if ($message -match $pattern) {
                $exclusionDetail = $matches[1] -replace ' = 0x0.*$', '' -replace 'New value:', '' -replace '^\s+|\s+$', ''
                if (-not $uniqueExclusions.ContainsKey($exclusionDetail) -or $event.TimeCreated -gt $uniqueExclusions[$exclusionDetail]) {
                    $uniqueExclusions[$exclusionDetail] = $event.TimeCreated
                }
            }
        }
        return $uniqueExclusions.GetEnumerator() | Sort-Object Value -Descending | ForEach-Object {
            [PSCustomObject]@{
                ExclusionDetail = $_.Key
                TimeCreated = $_.Value
            }
        }
    }

    # Extract and display exclusions based on the provided arguments
    if ($Path) {
        Write-Host "Path Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Path -exclusionType 'Path' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
    if ($Process) {
        Write-Host "Process Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Process -exclusionType 'Process' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
    if ($Extension) {
        Write-Host "Extension Exclusions:"
        Get-UniqueExclusions -pattern $patterns.Extension -exclusionType 'Extension' | Format-Table -Property ExclusionDetail, TimeCreated -AutoSize -Wrap
    }
}

# Example usage:
# Get-DefenderExclusions -Path -Process -Extension
# Get-DefenderExclusions -Process
-