Disable Windows Defender AV Security Monitoring

Oct 18, 2023 · attack.defense_evasion attack.t1562.001 ·

Detects attackers attempting to disable Windows Defender using Powershell

Sigma rule (View on GitHub)

 1title: Disable Windows Defender AV Security Monitoring
 2id: a7ee1722-c3c5-aeff-3212-c777e4733217
 3status: test
 4description: Detects attackers attempting to disable Windows Defender using Powershell
 5references:
 6    - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
 7    - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 9author: 'ok @securonix invrep-de, oscd.community, frack113'
10date: 2020/10/12
11modified: 2022/11/18
12tags:
13    - attack.defense_evasion
14    - attack.t1562.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_pwsh_binary:
20        - Image|endswith:
21              - '\powershell.exe'
22              - '\pwsh.exe'
23        - OriginalFileName:
24              - 'PowerShell.EXE'
25              - 'pwsh.dll'
26    selection_pwsh_cli:
27        CommandLine|contains:
28            - '-DisableBehaviorMonitoring $true'
29            - '-DisableRuntimeMonitoring $true'
30    selection_sc_binary:
31        - Image|endswith: '\sc.exe'
32        - OriginalFileName: 'sc.exe'
33    selection_sc_tamper_cmd_stop:
34        CommandLine|contains|all:
35            - 'stop'
36            - 'WinDefend'
37    selection_sc_tamper_cmd_delete:
38        CommandLine|contains|all:
39            - 'delete'
40            - 'WinDefend'
41    selection_sc_tamper_cmd_disabled:
42        CommandLine|contains|all:
43            - 'config'
44            - 'WinDefend'
45            - 'start=disabled'
46    condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
47falsepositives:
48    - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
49level: high

References

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox), Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our s…

Read More
https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/

Read More
atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Disable Windows Defender AV Security Monitoring

Sigma rule (View on GitHub)

References

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/

atomic-red-team/atomics/T1562.001/T1562.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules