heroui logo

Tamper Windows Defender - ScriptBlockLogging

Sigma Rules

View Source
Summary
The rule "Tamper Windows Defender - ScriptBlockLogging" is designed to detect potentially malicious PowerShell scripts that aim to modify settings related to Windows Defender Advanced Threat Protection (ATP). Specifically, it identifies scripts attempting to disable key features of Windows Defender such as scheduled scanning and real-time protection by detecting the use of specific command-line parameters associated with the `Set-MpPreference` cmdlet. This includes disabling various scanning options and changing default actions to allow threats rather than block them. The detection mechanism relies on the requirement that Script Block Logging must be enabled, as the rule checks the content of the executed PowerShell scripts for known patterns that correspond to tampering with security settings. The rule targets high-risk actions reflective of defense evasion tactics employed by attackers to create an opportunity for malware to operate undetected.
Categories
  • Windows
  • Endpoint
Data Sources
  • Script
ATT&CK Techniques
  • T1562.001
Created: 2022-01-16