PowerShell Script with Windows Defender Tampering Capabilities
Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/11"
3integration = ["windows"]
4maturity = "production"
5updated_date = "2025/09/03"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender
11features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.powershell*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "PowerShell Script with Windows Defender Tampering Capabilities"
18risk_score = 21
19rule_id = "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6"
20setup = """## Setup
21
22The 'PowerShell Script Block Logging' logging policy must be enabled.
23Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "low"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Defense Evasion",
8 "Data Source: PowerShell Logs",
9]
10timestamp_override = "event.ingested"
11type = "query"
12
13query = '''
14event.category: "process" and host.os.type:windows and
15(
16 powershell.file.script_block_text: "Set-MpPreference" and
17 powershell.file.script_block_text: (
18 DisableArchiveScanning or DisableBehaviorMonitoring or
19 DisableIntrusionPreventionSystem or DisableIOAVProtection or
20 DisableRemovableDriveScanning or DisableBlockAtFirstSeen or
21 DisableScanningMappedNetworkDrivesForFullScan or
22 DisableScanningNetworkFiles or DisableScriptScanning or
23 DisableRealtimeMonitoring or LowThreatDefaultAction or
24 ModerateThreatDefaultAction or HighThreatDefaultAction
25 )
26) and
27not powershell.file.script_block_text : (
28 ("cmdletization" and "cdxml-Help.xml") or
29 ("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType")
30) and
31not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" and
32not user.id : "S-1-5-18"
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1562"
40name = "Impair Defenses"
41reference = "https://attack.mitre.org/techniques/T1562/"
42[[rule.threat.technique.subtechnique]]
43id = "T1562.001"
44name = "Disable or Modify Tools"
45reference = "https://attack.mitre.org/techniques/T1562/001/"
46
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1059"
57name = "Command and Scripting Interpreter"
58reference = "https://attack.mitre.org/techniques/T1059/"
59[[rule.threat.technique.subtechnique]]
60id = "T1059.001"
61name = "PowerShell"
62reference = "https://attack.mitre.org/techniques/T1059/001/"
63
64
65
66[rule.threat.tactic]
67id = "TA0002"
68name = "Execution"
69reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Dynamic IEX Reconstruction via Method String Access
- Potential Dynamic IEX Reconstruction via Environment Variables
- Potential PowerShell Obfuscation via High Numeric Character Proportion
- Potential PowerShell Obfuscation via Invalid Escape Sequences
- Potential PowerShell Obfuscation via Reverse Keywords