Techniques
Sample rules
Windows Defender ASR or Threat Configuration Tamper
- source: splunk
- technicques:
- T1562.001
Description
The following analytic detects the use of commands to disable Attack Surface Reduction (ASR) rules or change threat default actions in Windows Defender. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving “Add-MpPreference” or “Set-MpPreference”. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute undetected. If confirmed malicious, this behavior could enable attackers to evade antivirus detection, maintain persistence, and execute further malicious activities without interference from Windows Defender.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process IN ("*Add-MpPreference *", "*Set-MpPreference *")
Processes.process IN (
"*-AttackSurfaceReductionRules_Actions*",
"*-ThreatIDDefaultAction_Actions*"
)
Processes.process IN (
"*Allow*",
"*NoAction*",
"*Disabled*",
"*_Actions 6*",
"*_Actions 9*",
"*_Actions 0*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_defender_asr_or_threat_configuration_tamper_filter`