Abusing PowerShell to Modify Defender Components
Looks for instances of powershell being used to modify or degrade Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Abusing PowerShell to Modify Defender Components
2id: bb193057-4917-427f-887c-1d2615394935
3status: experimental
4description: Looks for instances of powershell being used to modify or degrade Windows
5 Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/disable-or-modify-tools/
8author: Micah Babinski
9date: 2022/11/04
10tags:
11 - attack.defense_evasion
12 - attack.t1562
13 - attack.t1562.001
14 - attack.t1562.004
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\powershell.exe'
21 CommandLine|contains: 'Add-MpPreference'
22 selection2:
23 CommandLine|contains:
24 - 'dll'
25 - 'vbs'
26 - 'zip'
27 - '.bat'
28 - 'iso'
29 condition: selection and selection2
30falsepositives:
31 - Unknown
32level: high```
References
-
Adversaries disable or modify tools to evade detection and prevention by modern security tools and products
Read More
Related rules
- Abusing PowerShell to Disable Defender Components
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Base64 Encoding in CMD or Powershell
- CMD Launching Batch Script Stored on External Drive (Chromeloader)
- Command Shell Obfuscated Commands