Tamper Windows Defender - PSClassic

calendar Oct 28, 2023 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedin copy

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Sigma rule (View on GitHub)

 1title: Tamper Windows Defender - PSClassic
 2id: ec19ebab-72dc-40e1-9728-4c0b805d722c
 3related:
 4    - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
 5      type: similar
 6status: experimental
 7description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
10author: frack113, Nasreddine Bencherchali (Nextron Systems)
11date: 2021/06/07
12modified: 2023/10/27
13tags:
14    - attack.defense_evasion
15    - attack.t1562.001
16logsource:
17    product: windows
18    category: ps_classic_provider_start
19detection:
20    selection_set_mppreference:
21        Data|contains: 'Set-MpPreference'
22    selection_options_bool_allow:
23        Data|contains:
24            - '-dbaf $true'
25            - '-dbaf 1'
26            - '-dbm $true'
27            - '-dbm 1'
28            - '-dips $true'
29            - '-dips 1'
30            - '-DisableArchiveScanning $true'
31            - '-DisableArchiveScanning 1'
32            - '-DisableBehaviorMonitoring $true'
33            - '-DisableBehaviorMonitoring 1'
34            - '-DisableBlockAtFirstSeen $true'
35            - '-DisableBlockAtFirstSeen 1'
36            - '-DisableIntrusionPreventionSystem $true'
37            - '-DisableIntrusionPreventionSystem 1'
38            - '-DisableIOAVProtection $true'
39            - '-DisableIOAVProtection 1'
40            - '-DisableRealtimeMonitoring $true'
41            - '-DisableRealtimeMonitoring 1'
42            - '-DisableRemovableDriveScanning $true'
43            - '-DisableRemovableDriveScanning 1'
44            - '-DisableScanningMappedNetworkDrivesForFullScan $true'
45            - '-DisableScanningMappedNetworkDrivesForFullScan 1'
46            - '-DisableScanningNetworkFiles $true'
47            - '-DisableScanningNetworkFiles 1'
48            - '-DisableScriptScanning $true'
49            - '-DisableScriptScanning 1'
50            - '-drdsc $true'
51            - '-drdsc 1'
52            - '-drtm $true'
53            - '-drtm 1'
54            - '-dscrptsc $true'
55            - '-dscrptsc 1'
56            - '-dsmndf $true'
57            - '-dsmndf 1'
58            - '-dsnf $true'
59            - '-dsnf 1'
60            - '-dss $true'
61            - '-dss 1'
62    selection_options_actions_func:
63        Data|contains:
64            - 'HighThreatDefaultAction Allow'
65            - 'htdefac Allow'
66            - 'LowThreatDefaultAction Allow'
67            - 'ltdefac Allow'
68            - 'ModerateThreatDefaultAction Allow'
69            - 'mtdefac Allow'
70            - 'SevereThreatDefaultAction Allow'
71            - 'stdefac Allow'
72    condition: selection_set_mppreference and 1 of selection_options_*
73falsepositives:
74    - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
75level: high

References

Related rules

to-top