Powershell Base64 Encoded MpPreference Cmdlet

 1title: Powershell Base64 Encoded MpPreference Cmdlet
 2id: c6fb44c6-71f5-49e6-9462-1425d328aee3
 3status: test
 4description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
 5references:
 6    - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 8    - https://twitter.com/AdamTheAnalyst/status/1483497517119590403
 9author: Florian Roth (Nextron Systems)
10date: 2022/03/04
11modified: 2023/01/30
12tags:
13    - attack.defense_evasion
14    - attack.t1562.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        - CommandLine|base64offset|contains:
21              - 'Add-MpPreference '
22              - 'Set-MpPreference '
23              - 'add-mppreference '
24              - 'set-mppreference '
25        - CommandLine|contains:
26              # UTF16-LE
27              - 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
28              - 'EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
29              - 'BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'
30              - 'UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
31              - 'MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
32              - 'TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'
33              - 'YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
34              - 'EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
35              - 'hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
36              - 'cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
37              - 'MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
38              - 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
39    condition: selection
40falsepositives:
41    - Unknown
42level: high

References

• Configure exclusions for files opened by specific processes

  

  You can exclude files from scans if they've been opened by a specific process.

  
  Read More

• atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• HackTool - PowerTool Execution
• SafeBoot Registry Key Deleted Via Reg.EXE
• Service Registry Key Deleted Via Reg.EXE
• Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
• Load Of RstrtMgr.DLL By A Suspicious Process