Powershell MS Defender Tampering - ScriptBlockLogging
Detects powershell scripts attempting to disable MS Defender components using Set-MpPreference as performed by Vice Society ransomware gang. This includes additional techniques to evade existing rules by feeding in a proxy value of $true using a powershell boolean expression like (0 -eq $false).
Sigma rule (View on GitHub)
1title: Powershell MS Defender Tampering - ScriptBlockLogging
2id: 9e50b0e6-464b-4eb3-858c-690d2d51e812
3related:
4 - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
5 type: derived
6status: experimental
7description: Detects powershell scripts attempting to disable MS Defender components using Set-MpPreference as performed by Vice Society ransomware gang. This includes additional techniques to evade existing rules by feeding in a proxy value of $true using a powershell boolean expression like (0 -eq $false).
8references:
9 - https://www.educba.com/powershell-boolean/
10 - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
11 - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
12author: Micah Babinski
13date: 2022/11/26
14tags:
15 - attack.defense_evasion
16 - attack.t1562
17 - attack.t1562.001
18logsource:
19 product: windows
20 category: ps_script
21 definition: Script block logging must be enabled
22detection:
23 selection_options_disabling_preference:
24 ScriptBlockText|contains|all:
25 - 'Set-MpPreference'
26 - '-DisableRealtimeMonitoring'
27 filter:
28 # the regex below will match on the typical ways by which people enable realtime monitoring
29 ScriptBlockText|re: '.*Set-MpPreference.*Disable.*\s(\$false|0).*'
30 condition: selection_options_disabling_preference and not filter
31falsepositives:
32 - Legitimate PowerShell scripts which need to disable MS Defender.
33level: high```
References
-
Guide to PowerShell Boolean. Here we discuss the definition, How Boolean type works in PowerShell? examples with code implementation.
Read More -
The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates.
Read More -
In recent months, Microsoft has detected active ransomware and extortion campaigns impacting the global education sector, particularly in the US, by a threat actor we track as DEV-0832, also known as Vice Society.
Read More
Related rules
- Tampering of Windows Defender with Reg
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components
- Suspicious Registry Modification of MaxMpxCt Parameters
- Mshta Executing from Registry