PowerShell Script with Windows Defender Tampering Capabilities

  1[metadata]
  2creation_date = "2024/09/11"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell scripts that uses Set-MpPreference with parameters that disable or weaken Defender.
 11Attackers tamper with antivirus settings to reduce detection and enable follow-on payload execution.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-windows.powershell*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "PowerShell Script with Windows Defender Tampering Capabilities"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This guide was created by humans with the assistance of generative AI. While its contents have been manually curated to include the most valuable information, always validate assumptions and adjust procedures to match your internal runbooks and incident triage and response policies.
 22
 23### Investigating PowerShell Script with Windows Defender Tampering Capabilities
 24
 25This alert highlights PowerShell script block activity that attempts to change Windows Defender preferences in ways that can reduce host protections. These changes are frequently used to create a window for follow-on execution (for example, staging payloads, running tools, or maintaining access with reduced scanning and response).
 26
 27Triage should focus on (1) what protections were targeted and how, (2) who initiated the change and on which host(s), (3) whether the change took effect and persisted, and (4) whether there is surrounding activity that suggests initial access or follow-on malicious actions.
 28
 29#### Key alert fields to review
 30
 31- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 32- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 33- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 34- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 35- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 36- `powershell.file.script_block_length`: Script block length (size) context.
 37
 38#### Possible investigation steps
 39
 40- Review the script block content and determine the intended Defender impact:
 41  - Inspect `powershell.file.script_block_text` and enumerate each `Set-MpPreference` parameter present.
 42  - Capture whether the script is disabling protections (for example, real-time monitoring, script scanning, network file scanning) or changing default threat actions (low/moderate/high) to more permissive outcomes.
 43  - Note whether the script changes multiple settings in one execution, repeats the changes, or includes additional logic that suggests deliberate defense impairment rather than a single configuration adjustment.
 44
 45- Reconstruct full script content when it is split across multiple events:
 46  - If `powershell.total` is greater than 1, pivot on `powershell.file.script_block_id` and order fragments by `powershell.sequence` to rebuild the full script.
 47  - Ensure you capture all fragments for the same `powershell.file.script_block_id` on the same `host.id` and `user.id` near the alert time; missing fragments can hide follow-on behavior embedded in later chunks.
 48
 49- Establish scope across hosts and accounts:
 50  - Use `@timestamp`, `host.name` / `host.id`, and `user.name` / `user.domain` / `user.id` to determine whether the activity is isolated or distributed.
 51  - Look for the same user context making similar changes across multiple hosts in a short time window (suggesting automation or compromised credentials).
 52  - Look for multiple distinct user contexts making similar changes on the same host (suggesting lateral movement or multiple access paths).
 53
 54- Determine the execution and origin context:
 55  - If `file.path` or `file.name` is populated, treat the activity as file-backed scripting and capture the location for scoping (where else this script exists, who can write to it, and when it was last introduced).
 56  - If the file fields are not populated, treat the activity as potentially interactive or dynamically generated content and expand the search for adjacent script blocks from the same `user.id` on the same `host.id` around `@timestamp` to identify staging, execution flow, or repeated attempts.
 57
 58- Validate whether Defender settings were actually changed and whether the change persisted:
 59  - Using available endpoint security telemetry and configuration auditing, validate whether the targeted preferences were applied on the affected host(s) and whether they remained in the weakened state after the alert time.
 60  - Compare against your approved baseline for Defender settings and identify deviations that would materially reduce protection coverage.
 61
 62- Correlate with adjacent activity to identify initial access and follow-on execution:
 63  - Correlate by `host.id` and time to nearby process activity to identify the PowerShell host process and its launching context (interactive use vs scheduled/automated execution vs another process initiating PowerShell).
 64  - Review file and network telemetry around the same time for indicators of payload staging or execution (new files written, unusual outbound connections, or repeated attempts after the change).
 65  - Check for repeated Defender preference modifications over time on the same host (suggesting persistent tampering) and for other suspicious activity tied to the same `user.id`.
 66
 67### False positive analysis
 68
 69Legitimate activity can modify Defender preferences, but it should be explainable, consistent, and controlled.
 70
 71- Common benign drivers:
 72  - Approved endpoint management or administrative maintenance that adjusts scanning behavior for performance or operational compatibility.
 73  - Controlled troubleshooting where settings are temporarily changed and later restored.
 74
 75- Validation questions to reduce uncertainty:
 76  - Does `user.id` map to an expected administrative or management identity for this host population?
 77  - Is the activity aligned with known maintenance windows, change records, and documented procedures?
 78  - Is `file.path` (when present) consistent with a known, maintained script location, and does the script content align with an approved baseline?
 79
 80If the activity is benign, document the owner, expected scope (hosts/users), expected recurrence, and the intended steady-state protection posture.
 81
 82### Response and remediation
 83
 84If the activity is unauthorized or suspicious, treat it as a defense evasion attempt with potential follow-on actions.
 85
 86- Contain and preserve evidence:
 87  - Prioritize affected endpoints identified by `host.id` / `host.name` and preserve relevant evidence, including the full reconstructed script from `powershell.file.script_block_id` and `powershell.file.script_block_text`.
 88  - Capture the initiating identity context (`user.name`, `user.domain`, `user.id`) for incident scoping and credential review.
 89
 90- Restore protections and eliminate the change source:
 91  - Restore Windows Defender preferences to the approved baseline using authorized operational processes and verify protections are active.
 92  - If `file.path` is present, identify the responsible script and remove or disable unauthorized automation that applies the changes.
 93  - If the activity appears user-driven or interactive, investigate how the user obtained execution capability on the host and address the root cause.
 94
 95- Address potential account compromise and lateral movement:
 96  - Review recent activity associated with the initiating account and affected hosts for signs of credential misuse, unexpected access patterns, or follow-on execution.
 97  - Apply appropriate credential remediation for impacted identities and review privileged access assignments relevant to the affected endpoints.
 98
 99- Scope and monitor:
100  - Hunt for the same Defender-tampering parameters within `powershell.file.script_block_text` across other hosts and users to identify additional impacted systems.
101  - Continue monitoring for recurrence of similar preference changes tied to the same `user.id`, as repeated tampering may indicate persistence or an active intrusion.
102"""
103risk_score = 47
104rule_id = "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6"
105setup = """## Setup
106
107PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
108Setup instructions: https://ela.st/powershell-logging-setup
109"""
110severity = "medium"
111tags = [
112    "Domain: Endpoint",
113    "OS: Windows",
114    "Use Case: Threat Detection",
115    "Tactic: Defense Evasion",
116    "Data Source: PowerShell Logs",
117    "Resources: Investigation Guide",
118]
119timestamp_override = "event.ingested"
120type = "query"
121
122query = '''
123event.category: "process" and host.os.type:windows and
124(
125  powershell.file.script_block_text: "Set-MpPreference" and
126  powershell.file.script_block_text: (
127    DisableArchiveScanning or DisableBehaviorMonitoring or
128    DisableIntrusionPreventionSystem or DisableIOAVProtection or
129    DisableRemovableDriveScanning or DisableBlockAtFirstSeen or
130    DisableScanningMappedNetworkDrivesForFullScan or
131    DisableScanningNetworkFiles or DisableScriptScanning or
132    DisableRealtimeMonitoring or LowThreatDefaultAction or
133    ModerateThreatDefaultAction or HighThreatDefaultAction
134  )
135) and
136not powershell.file.script_block_text : (
137  ("cmdletization" and "cdxml-Help.xml") or
138  ("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType")
139) and
140not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" and
141not user.id : "S-1-5-18"
142'''
143
144
145[[rule.threat]]
146framework = "MITRE ATT&CK"
147[[rule.threat.technique]]
148id = "T1562"
149name = "Impair Defenses"
150reference = "https://attack.mitre.org/techniques/T1562/"
151[[rule.threat.technique.subtechnique]]
152id = "T1562.001"
153name = "Disable or Modify Tools"
154reference = "https://attack.mitre.org/techniques/T1562/001/"
155
156
157
158[rule.threat.tactic]
159id = "TA0005"
160name = "Defense Evasion"
161reference = "https://attack.mitre.org/tactics/TA0005/"
162[[rule.threat]]
163framework = "MITRE ATT&CK"
164[[rule.threat.technique]]
165id = "T1059"
166name = "Command and Scripting Interpreter"
167reference = "https://attack.mitre.org/techniques/T1059/"
168[[rule.threat.technique.subtechnique]]
169id = "T1059.001"
170name = "PowerShell"
171reference = "https://attack.mitre.org/techniques/T1059/001/"
172
173
174
175[rule.threat.tactic]
176id = "TA0002"
177name = "Execution"
178reference = "https://attack.mitre.org/tactics/TA0002/"
179
180[rule.investigation_fields]
181field_names = [
182    "@timestamp",
183    "user.name",
184    "user.id",
185    "user.domain",
186    "powershell.file.script_block_text",
187    "powershell.file.script_block_id",
188    "powershell.sequence",
189    "powershell.total",
190    "file.path",
191    "file.directory",
192    "file.name",
193    "process.pid",
194    "host.name",
195    "host.id",
196    "powershell.file.script_block_length"
197]