Tamper Windows Defender - ScriptBlockLogging
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Sigma rule (View on GitHub)
1title: Tamper Windows Defender - ScriptBlockLogging
2id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
3related:
4 - id: ec19ebab-72dc-40e1-9728-4c0b805d722c
5 type: derived
6status: test
7description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
10 - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
11 - https://bidouillesecurity.com/disable-windows-defender-in-powershell/
12author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
13date: 2022-01-16
14modified: 2024-01-02
15tags:
16 - attack.defense-evasion
17 - attack.t1562.001
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection_options_disabling_preference:
24 ScriptBlockText|contains: 'Set-MpPreference'
25 selection_options_disabling_function:
26 ScriptBlockText|contains:
27 - '-dbaf $true'
28 - '-dbaf 1'
29 - '-dbm $true'
30 - '-dbm 1'
31 - '-dips $true'
32 - '-dips 1'
33 - '-DisableArchiveScanning $true'
34 - '-DisableArchiveScanning 1'
35 - '-DisableBehaviorMonitoring $true'
36 - '-DisableBehaviorMonitoring 1'
37 - '-DisableBlockAtFirstSeen $true'
38 - '-DisableBlockAtFirstSeen 1'
39 - '-DisableCatchupFullScan $true'
40 - '-DisableCatchupFullScan 1'
41 - '-DisableCatchupQuickScan $true'
42 - '-DisableCatchupQuickScan 1'
43 - '-DisableIntrusionPreventionSystem $true'
44 - '-DisableIntrusionPreventionSystem 1'
45 - '-DisableIOAVProtection $true'
46 - '-DisableIOAVProtection 1'
47 - '-DisableRealtimeMonitoring $true'
48 - '-DisableRealtimeMonitoring 1'
49 - '-DisableRemovableDriveScanning $true'
50 - '-DisableRemovableDriveScanning 1'
51 - '-DisableScanningMappedNetworkDrivesForFullScan $true'
52 - '-DisableScanningMappedNetworkDrivesForFullScan 1'
53 - '-DisableScanningNetworkFiles $true'
54 - '-DisableScanningNetworkFiles 1'
55 - '-DisableScriptScanning $true'
56 - '-DisableScriptScanning 1'
57 - '-MAPSReporting $false'
58 - '-MAPSReporting 0'
59 - '-drdsc $true'
60 - '-drdsc 1'
61 - '-drtm $true'
62 - '-drtm 1'
63 - '-dscrptsc $true'
64 - '-dscrptsc 1'
65 - '-dsmndf $true'
66 - '-dsmndf 1'
67 - '-dsnf $true'
68 - '-dsnf 1'
69 - '-dss $true'
70 - '-dss 1'
71 selection_other_default_actions_allow:
72 ScriptBlockText|contains: 'Set-MpPreference'
73 selection_other_default_actions_func:
74 ScriptBlockText|contains:
75 - 'HighThreatDefaultAction Allow'
76 - 'htdefac Allow'
77 - 'LowThreatDefaultAction Allow'
78 - 'ltdefac Allow'
79 - 'ModerateThreatDefaultAction Allow'
80 - 'mtdefac Allow'
81 - 'SevereThreatDefaultAction Allow'
82 - 'stdefac Allow'
83 condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
84falsepositives:
85 - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
86level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates.
Read More -
I finally wrote a PowerShell script to disable Windows Defender entirely, permanently, without any prior configuration or user interaction.
Read More
Related rules
- Tamper Windows Defender - PSClassic
- Disable Windows Defender Functionalities Via Registry Keys
- Load Of RstrtMgr.DLL By A Suspicious Process
- Load Of RstrtMgr.DLL By An Uncommon Process
- Suspicious Path In Keyboard Layout IME File Registry Value