PUA - DefenderCheck Execution
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
Sigma rule (View on GitHub)
1title: PUA - DefenderCheck Execution
2id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7
3status: test
4description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
5references:
6 - https://github.com/matterpreter/DefenderCheck
7author: Florian Roth (Nextron Systems)
8date: 2022-08-30
9modified: 2023-02-04
10tags:
11 - attack.defense-evasion
12 - attack.t1027.005
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\DefenderCheck.exe'
19 - Description: 'DefenderCheck'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- HackTool - CrackMapExec PowerShell Obfuscation
- PUA - Potential PE Metadata Tamper Using Rcedit
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType