Tamper Windows Defender - PSClassic

calendar Jan 10, 2024 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedin copy

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Sigma rule (View on GitHub)

 1title: Tamper Windows Defender - PSClassic
 2id: ec19ebab-72dc-40e1-9728-4c0b805d722c
 3related:
 4    - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
 5      type: similar
 6status: experimental
 7description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
10author: frack113, Nasreddine Bencherchali (Nextron Systems)
11date: 2021/06/07
12modified: 2024/01/02
13tags:
14    - attack.defense_evasion
15    - attack.t1562.001
16logsource:
17    product: windows
18    category: ps_classic_provider_start
19detection:
20    selection_set_mppreference:
21        Data|contains: 'Set-MpPreference'
22    selection_options_bool_allow:
23        Data|contains:
24            - '-dbaf $true'
25            - '-dbaf 1'
26            - '-dbm $true'
27            - '-dbm 1'
28            - '-dips $true'
29            - '-dips 1'
30            - '-DisableArchiveScanning $true'
31            - '-DisableArchiveScanning 1'
32            - '-DisableBehaviorMonitoring $true'
33            - '-DisableBehaviorMonitoring 1'
34            - '-DisableBlockAtFirstSeen $true'
35            - '-DisableBlockAtFirstSeen 1'
36            - '-DisableCatchupFullScan $true'
37            - '-DisableCatchupFullScan 1'
38            - '-DisableCatchupQuickScan $true'
39            - '-DisableCatchupQuickScan 1'
40            - '-DisableIntrusionPreventionSystem $true'
41            - '-DisableIntrusionPreventionSystem 1'
42            - '-DisableIOAVProtection $true'
43            - '-DisableIOAVProtection 1'
44            - '-DisableRealtimeMonitoring $true'
45            - '-DisableRealtimeMonitoring 1'
46            - '-DisableRemovableDriveScanning $true'
47            - '-DisableRemovableDriveScanning 1'
48            - '-DisableScanningMappedNetworkDrivesForFullScan $true'
49            - '-DisableScanningMappedNetworkDrivesForFullScan 1'
50            - '-DisableScanningNetworkFiles $true'
51            - '-DisableScanningNetworkFiles 1'
52            - '-DisableScriptScanning $true'
53            - '-DisableScriptScanning 1'
54            - '-MAPSReporting $false'
55            - '-MAPSReporting 0'
56            - '-drdsc $true'
57            - '-drdsc 1'
58            - '-drtm $true'
59            - '-drtm 1'
60            - '-dscrptsc $true'
61            - '-dscrptsc 1'
62            - '-dsmndf $true'
63            - '-dsmndf 1'
64            - '-dsnf $true'
65            - '-dsnf 1'
66            - '-dss $true'
67            - '-dss 1'
68    selection_options_actions_func:
69        Data|contains:
70            - 'HighThreatDefaultAction Allow'
71            - 'htdefac Allow'
72            - 'LowThreatDefaultAction Allow'
73            - 'ltdefac Allow'
74            - 'ModerateThreatDefaultAction Allow'
75            - 'mtdefac Allow'
76            - 'SevereThreatDefaultAction Allow'
77            - 'stdefac Allow'
78    condition: selection_set_mppreference and 1 of selection_options_*
79falsepositives:
80    - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
81level: high

References

Related rules

to-top