PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'

 1title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
 2id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
 3related:
 4    - id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
 9    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
10    An attacker might use this technique via the command line to bypass defenses before executing payloads.    
11references:
12    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
13    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
14    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
15    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
16    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
17author: 'Matt Anderson (Huntress)'
18date: 2025-07-11
19tags:
20    - attack.defense-evasion
21    - attack.t1562.001
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_cmdlet:
27        CommandLine|contains: 'Set-MpPreference'
28    selection_action:
29        CommandLine|contains:
30            - '-LowThreatDefaultAction'
31            - '-ModerateThreatDefaultAction'
32            - '-HighThreatDefaultAction'
33            - '-SevereThreatDefaultAction'
34            - '-ltdefac '
35            - '-mtdefac '
36            - '-htdefac '
37            - '-stdefac '
38    selection_value:
39        CommandLine|contains:
40            - 'Allow'
41            - '6'
42            - 'NoAction'
43            - '9'
44    condition: all of selection_*
45falsepositives:
46    - Highly unlikely
47level: high

References

• Set-MpPreference (Defender)

  

  The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates.

  
  Read More

• ThreatSeverityDefaultAction

  

  ThreatSeverityDefaultAction

  
  Read More

• https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952

  
  Read More

• quick-disable-windows-defender.bat

  

  GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

• IcedID to XingLocker Ransomware in 24 hours

  

  Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…

  
  Read More

Related rules

• Disabling Windows Defender WMI Autologger Session via Reg.exe
• Windows Defender Context Menu Removed
• Windows Defender Threat Severity Default Action Modified
• Antivirus Filter Driver Disallowed On Dev Drive - Registry
• Disable ASLR Via Personality Syscall - Linux