You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From this tweet it is possible to enumerate Windows Defender's exclusions by listing the event ID 5007.
For example, whitelisting cmd.exe generates the following event
The tool https://github.com/0xsp-SRD/MDE_Enum already implement this finding and also enumerates the event ID 1121 to retrieve the ASR rules that have matched.
The text was updated successfully, but these errors were encountered:
From this tweet it is possible to enumerate Windows Defender's exclusions by listing the event ID 5007.
![image](https://private-user-images.githubusercontent.com/7670696/338241953-b2fed5bc-5875-45d4-ad7a-ec07e56fc6c2.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk5NzkzNTcsIm5iZiI6MTcxOTk3OTA1NywicGF0aCI6Ii83NjcwNjk2LzMzODI0MTk1My1iMmZlZDViYy01ODc1LTQ1ZDQtYWQ3YS1lYzA3ZTU2ZmM2YzIucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcwMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MDNUMDM1NzM3WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDA3OTY3OGRmNjdiMjUxYjM5YWEzNDMyZjI5ZmQ2MzhlMDgzNGE0ZDY2NjVjMTQ0M2Y2ZDI1ZDc2YjljYzUzMiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.8mb8nDO4AufzGhnRD5ynHVasWqlsQDxXmu-on_t-tZU)
For example, whitelisting cmd.exe generates the following event
The tool https://github.com/0xsp-SRD/MDE_Enum already implement this finding and also enumerates the event ID 1121 to retrieve the ASR rules that have matched.
The text was updated successfully, but these errors were encountered: