Abusing PowerShell to Disable Defender Components

calendar Nov 9, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 attack.t1562.004  ·
Share on: linkedin copy

Looks for instances of powershell being used to disable or impair Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Abusing PowerShell to Disable Defender Components
 2id: 32cfafc8-fbdc-43e0-a2cd-11b99630d270
 3status: experimental
 4description: Looks for instances of powershell being used to disable or impair Windows
 5    Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.
 6references:
 7    - https://redcanary.com/threat-detection-report/techniques/disable-or-modify-tools/
 8author: Micah Babinski
 9date: 2022/11/04
10tags:
11    - attack.defense_evasion
12    - attack.t1562
13    - attack.t1562.001
14    - attack.t1562.004
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        CommandLine|contains: 'Set-MpPreference'
21        Image|endswith: '\powershell.exe'
22    selection2:
23        CommandLine|contains:
24            - 'disablerealtimemonitoring'
25            - 'disableioavprotection'
26            - 'disablebehaviormonitoring'
27            - 'disableintrusionpreventionsystem'
28            - 'exclusionprocess'
29            - 'disablescriptscanning'
30    condition: selection and selection2
31falsepositives:
32    - Unknown
33level: high```

References

Related rules

to-top