Powershell Defender Disable Scan Feature

calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects requests to disable Microsoft Defender features using PowerShell commands

Sigma rule (View on GitHub)

 1title: Powershell Defender Disable Scan Feature
 2id: 1ec65a5f-9473-4f12-97da-622044d6df21
 3status: test
 4description: Detects requests to disable Microsoft Defender features using PowerShell commands
 5references:
 6    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
 7    - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE
 8    - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
 9author: Florian Roth (Nextron Systems)
10date: 2022-03-03
11modified: 2024-01-02
12tags:
13    - attack.defense-evasion
14    - attack.t1562.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_cli_cmdlet:
20        CommandLine|contains:
21            - 'Add-MpPreference '
22            - 'Set-MpPreference '
23    selection_cli_option:
24        CommandLine|contains:
25            - 'DisableArchiveScanning '
26            - 'DisableRealtimeMonitoring '
27            - 'DisableIOAVProtection '
28            - 'DisableBehaviorMonitoring '
29            - 'DisableBlockAtFirstSeen '
30            - 'DisableCatchupFullScan '
31            - 'DisableCatchupQuickScan '
32    selection_cli_value:
33        CommandLine|contains:
34            - '$true'
35            - ' 1 '
36    selection_encoded_modifier:
37        CommandLine|base64offset|contains:
38            # Note: Since this is calculating offsets casing is important
39            - 'disablearchivescanning '
40            - 'DisableArchiveScanning '
41            - 'disablebehaviormonitoring '
42            - 'DisableBehaviorMonitoring '
43            - 'disableblockatfirstseen '
44            - 'DisableBlockAtFirstSeen '
45            - 'disablecatchupfullscan '
46            - 'DisableCatchupFullScan '
47            - 'disablecatchupquickscan '
48            - 'DisableCatchupQuickScan '
49            - 'disableioavprotection '
50            - 'DisableIOAVProtection '
51            - 'disablerealtimemonitoring '
52            - 'DisableRealtimeMonitoring '
53    selection_encoded_direct:
54        CommandLine|contains:
55            - 'RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
56            - 'QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
57            - 'EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
58            - 'RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
59            - 'QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA'
60            - 'EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA'
61            - 'RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
62            - 'QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
63            - 'EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
64            - 'RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA'
65            - 'QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA'
66            - 'EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA'
67            - 'ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
68            - 'QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
69            - 'kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
70            - 'ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
71            - 'QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA'
72            - 'kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA'
73            - 'ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
74            - 'QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
75            - 'kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
76            - 'ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA'
77            - 'QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA'
78            - 'kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA'
79            - 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA'
80            - 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA'
81            - 'RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA'
82    condition: all of selection_cli_* or 1 of selection_encoded_*
83falsepositives:
84    - Possible administrative activity
85    - Other Cmdlets that may use the same parameters
86level: high

References

Related rules

to-top