Abusing PowerShell to Modify Defender Components

calendar Nov 9, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 attack.t1562.004  ·
Share on: linkedin copy

Looks for instances of powershell being used to modify or degrade Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Abusing PowerShell to Modify Defender Components
 2id: bb193057-4917-427f-887c-1d2615394935
 3status: experimental
 4description: Looks for instances of powershell being used to modify or degrade Windows
 5    Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.
 6references:
 7    - https://redcanary.com/threat-detection-report/techniques/disable-or-modify-tools/
 8author: Micah Babinski
 9date: 2022/11/04
10tags:
11    - attack.defense_evasion
12    - attack.t1562
13    - attack.t1562.001
14    - attack.t1562.004
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\powershell.exe'
21        CommandLine|contains: 'Add-MpPreference'
22    selection2:
23        CommandLine|contains:
24            - 'dll'
25            - 'vbs'
26            - 'zip'
27            - '.bat'
28            - 'iso'
29    condition: selection and selection2
30falsepositives:
31    - Unknown
32level: high```

References

Related rules

to-top