Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Tamper Windows Defender - PSClassic

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Mon Jun 07Updated Tue Jan 02ec19ebab-72dc-40e1-9728-4c0b805d722cwindows
Log Source
Windowsps_classic_provider_start
ProductWindows← raw: windows
Categoryps_classic_provider_start← raw: ps_classic_provider_start
Detection Logic
Detection Logic3 selectors
detection:
    selection_set_mppreference:
        Data|contains: 'Set-MpPreference'
    selection_options_bool_allow:
        Data|contains:
            - '-dbaf $true'
            - '-dbaf 1'
            - '-dbm $true'
            - '-dbm 1'
            - '-dips $true'
            - '-dips 1'
            - '-DisableArchiveScanning $true'
            - '-DisableArchiveScanning 1'
            - '-DisableBehaviorMonitoring $true'
            - '-DisableBehaviorMonitoring 1'
            - '-DisableBlockAtFirstSeen $true'
            - '-DisableBlockAtFirstSeen 1'
            - '-DisableCatchupFullScan $true'
            - '-DisableCatchupFullScan 1'
            - '-DisableCatchupQuickScan $true'
            - '-DisableCatchupQuickScan 1'
            - '-DisableIntrusionPreventionSystem $true'
            - '-DisableIntrusionPreventionSystem 1'
            - '-DisableIOAVProtection $true'
            - '-DisableIOAVProtection 1'
            - '-DisableRealtimeMonitoring $true'
            - '-DisableRealtimeMonitoring 1'
            - '-DisableRemovableDriveScanning $true'
            - '-DisableRemovableDriveScanning 1'
            - '-DisableScanningMappedNetworkDrivesForFullScan $true'
            - '-DisableScanningMappedNetworkDrivesForFullScan 1'
            - '-DisableScanningNetworkFiles $true'
            - '-DisableScanningNetworkFiles 1'
            - '-DisableScriptScanning $true'
            - '-DisableScriptScanning 1'
            - '-MAPSReporting $false'
            - '-MAPSReporting 0'
            - '-drdsc $true'
            - '-drdsc 1'
            - '-drtm $true'
            - '-drtm 1'
            - '-dscrptsc $true'
            - '-dscrptsc 1'
            - '-dsmndf $true'
            - '-dsmndf 1'
            - '-dsnf $true'
            - '-dsnf 1'
            - '-dss $true'
            - '-dss 1'
    selection_options_actions_func:
        Data|contains:
            - 'HighThreatDefaultAction Allow'
            - 'htdefac Allow'
            - 'LowThreatDefaultAction Allow'
            - 'ltdefac Allow'
            - 'ModerateThreatDefaultAction Allow'
            - 'mtdefac Allow'
            - 'SevereThreatDefaultAction Allow'
            - 'stdefac Allow'
    condition: selection_set_mppreference and 1 of selection_options_*
False Positives

Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.

References
1
Resolving title…
github.com
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Tamper Windows Defender - ScriptBlockLogging

Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
ec19ebab-72dc-40e1-9728-4c0b805d722c
Status
test
Level
high
Type
Detection
Created
Mon Jun 07
Modified
Tue Jan 02
Author
François Hubaut, Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub