Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
Sigma rule (View on GitHub)
1title: Disable Windows Defender AV Security Monitoring
2id: a7ee1722-c3c5-aeff-3212-c777e4733217
3status: test
4description: Detects attackers attempting to disable Windows Defender using Powershell
5references:
6 - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
7 - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
9author: 'ok @securonix invrep-de, oscd.community, frack113'
10date: 2020-10-12
11modified: 2022-11-18
12tags:
13 - attack.defense-evasion
14 - attack.t1562.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_pwsh_binary:
20 - Image|endswith:
21 - '\powershell.exe'
22 - '\pwsh.exe'
23 - OriginalFileName:
24 - 'PowerShell.EXE'
25 - 'pwsh.dll'
26 selection_pwsh_cli:
27 CommandLine|contains:
28 - '-DisableBehaviorMonitoring $true'
29 - '-DisableRuntimeMonitoring $true'
30 selection_sc_binary:
31 - Image|endswith: '\sc.exe'
32 - OriginalFileName: 'sc.exe'
33 selection_sc_tamper_cmd_stop:
34 CommandLine|contains|all:
35 - 'stop'
36 - 'WinDefend'
37 selection_sc_tamper_cmd_delete:
38 CommandLine|contains|all:
39 - 'delete'
40 - 'WinDefend'
41 selection_sc_tamper_cmd_disabled:
42 CommandLine|contains|all:
43 - 'config'
44 - 'WinDefend'
45 - 'start=disabled'
46 condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
47falsepositives:
48 - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
49level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility