heroui logo

Tamper Windows Defender - PSClassic

Sigma Rules

View Source
Summary
This detection rule identifies attempts to tamper with Windows Defender settings via PowerShell commands, which may indicate malicious actions aimed at evading detection. The rule focuses on the use of the `Set-MpPreference` command and looks for specific flags being set that disable various Defender features, such as real-time monitoring, scheduled scans, and intrusion prevention. Additionally, it monitors for commands that set default actions for threats to 'Allow', rendering the antivirus ineffective. Defensive actions may include enabling settings and monitoring system command execution for potential tampering activities. It is imperative to distinguish between legitimate uses for disabling Defender (such as troubleshooting) and malicious intent, necessitating further investigation whenever these actions are logged.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Command
  • Application Log
ATT&CK Techniques
  • T1562.001
Created: 2021-06-07