Techniques
Sample rules
PowerShell Defender Threat Severity Default Action Set to ‘Allow’ or ‘NoAction’
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the use of PowerShell to execute the ‘Set-MpPreference’ cmdlet to configure Windows Defender’s threat severity default action to ‘Allow’ (value ‘6’) or ‘NoAction’ (value ‘9’). This is a highly suspicious configuration change that effectively disables Defender’s ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.
Detection logic
condition: all of selection_*
selection_action:
CommandLine|contains:
- -LowThreatDefaultAction
- -ModerateThreatDefaultAction
- -HighThreatDefaultAction
- -SevereThreatDefaultAction
- '-ltdefac '
- '-mtdefac '
- '-htdefac '
- '-stdefac '
selection_cmdlet:
CommandLine|contains: Set-MpPreference
selection_value:
CommandLine|contains:
- Allow
- '6'
- NoAction
- '9'
Disabling Windows Defender WMI Autologger Session via Reg.exe
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the ‘Start’ value to ‘0’ for the ‘DefenderApiLogger’ or ‘DefenderAuditLogger’ session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_enable:
CommandLine|contains: '0x00000001'
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_reg_add:
CommandLine|contains|all:
- add
- '0'
selection_reg_path:
CommandLine|contains:
- \Control\WMI\Autologger\DefenderApiLogger\Start
- \Control\WMI\Autologger\DefenderAuditLogger\Start