Added new atomic - T1518.001.yaml (redcanaryco#2965)

atomics/T1518.001/T1518.001.yaml

@@ -151,4 +151,16 @@ atomic_tests:
       Get-NetFirewallSetting
       Get-NetFirewallRule | select DisplayName, Enabled, Description
     name: powershell 
-    elevation_required: true
+    elevation_required: true
+- name: Get Windows Defender exclusion settings using WMIC
+  description: |
+    In this test, a WMIC command is used to probe the local Windows system for the configuration of Windows Defender's exclusions. This command targets the MSFT_MpPreference 
+    class within the Windows Management Instrumentation (WMI) namespace, allowing the retrieval of critical settings such as disabled real-time monitoring and specified 
+    exclusion paths, file extensions, and processes. Attackers might use this approach to understand what is excluded from antivirus scans, enabling further exploitation.
+  supported_platforms:
+  - windows
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      wmic /Node:localhost /Namespace:\\root\Microsoft\Windows\Defender Path MSFT_MpPreference Get /format:list | findstr /i /C:"DisableRealtimeMonitoring" /C:"ExclusionPath" /C:"ExclusionExtension" /C:"ExclusionProcess"