Abusing PowerShell to Disable Defender Components
Looks for instances of powershell being used to disable or impair Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Abusing PowerShell to Disable Defender Components
2id: 32cfafc8-fbdc-43e0-a2cd-11b99630d270
3status: experimental
4description: Looks for instances of powershell being used to disable or impair Windows
5 Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/disable-or-modify-tools/
8author: Micah Babinski
9date: 2022/11/04
10tags:
11 - attack.defense_evasion
12 - attack.t1562
13 - attack.t1562.001
14 - attack.t1562.004
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains: 'Set-MpPreference'
21 Image|endswith: '\powershell.exe'
22 selection2:
23 CommandLine|contains:
24 - 'disablerealtimemonitoring'
25 - 'disableioavprotection'
26 - 'disablebehaviormonitoring'
27 - 'disableintrusionpreventionsystem'
28 - 'exclusionprocess'
29 - 'disablescriptscanning'
30 condition: selection and selection2
31falsepositives:
32 - Unknown
33level: high```
References
-
Adversaries disable or modify tools to evade detection and prevention by modern security tools and products
Read More
Related rules
- Abusing PowerShell to Modify Defender Components
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Base64 Encoding in CMD or Powershell
- CMD Launching Batch Script Stored on External Drive (Chromeloader)
- Command Shell Obfuscated Commands