Techniques
Sample rules
Tamper Windows Defender - PSClassic
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Detection logic
condition: selection_set_mppreference and 1 of selection_options_*
selection_options_actions_func:
Data|contains:
- HighThreatDefaultAction Allow
- htdefac Allow
- LowThreatDefaultAction Allow
- ltdefac Allow
- ModerateThreatDefaultAction Allow
- mtdefac Allow
- SevereThreatDefaultAction Allow
- stdefac Allow
selection_options_bool_allow:
Data|contains:
- -dbaf $true
- -dbaf 1
- -dbm $true
- -dbm 1
- -dips $true
- -dips 1
- -DisableArchiveScanning $true
- -DisableArchiveScanning 1
- -DisableBehaviorMonitoring $true
- -DisableBehaviorMonitoring 1
- -DisableBlockAtFirstSeen $true
- -DisableBlockAtFirstSeen 1
- -DisableCatchupFullScan $true
- -DisableCatchupFullScan 1
- -DisableCatchupQuickScan $true
- -DisableCatchupQuickScan 1
- -DisableIntrusionPreventionSystem $true
- -DisableIntrusionPreventionSystem 1
- -DisableIOAVProtection $true
- -DisableIOAVProtection 1
- -DisableRealtimeMonitoring $true
- -DisableRealtimeMonitoring 1
- -DisableRemovableDriveScanning $true
- -DisableRemovableDriveScanning 1
- -DisableScanningMappedNetworkDrivesForFullScan $true
- -DisableScanningMappedNetworkDrivesForFullScan 1
- -DisableScanningNetworkFiles $true
- -DisableScanningNetworkFiles 1
- -DisableScriptScanning $true
- -DisableScriptScanning 1
- -MAPSReporting $false
- -MAPSReporting 0
- -drdsc $true
- -drdsc 1
- -drtm $true
- -drtm 1
- -dscrptsc $true
- -dscrptsc 1
- -dsmndf $true
- -dsmndf 1
- -dsnf $true
- -dsnf 1
- -dss $true
- -dss 1
selection_set_mppreference:
Data|contains: Set-MpPreference
Tamper Windows Defender - ScriptBlockLogging
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Detection logic
condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
selection_options_disabling_function:
ScriptBlockText|contains:
- -dbaf $true
- -dbaf 1
- -dbm $true
- -dbm 1
- -dips $true
- -dips 1
- -DisableArchiveScanning $true
- -DisableArchiveScanning 1
- -DisableBehaviorMonitoring $true
- -DisableBehaviorMonitoring 1
- -DisableBlockAtFirstSeen $true
- -DisableBlockAtFirstSeen 1
- -DisableCatchupFullScan $true
- -DisableCatchupFullScan 1
- -DisableCatchupQuickScan $true
- -DisableCatchupQuickScan 1
- -DisableIntrusionPreventionSystem $true
- -DisableIntrusionPreventionSystem 1
- -DisableIOAVProtection $true
- -DisableIOAVProtection 1
- -DisableRealtimeMonitoring $true
- -DisableRealtimeMonitoring 1
- -DisableRemovableDriveScanning $true
- -DisableRemovableDriveScanning 1
- -DisableScanningMappedNetworkDrivesForFullScan $true
- -DisableScanningMappedNetworkDrivesForFullScan 1
- -DisableScanningNetworkFiles $true
- -DisableScanningNetworkFiles 1
- -DisableScriptScanning $true
- -DisableScriptScanning 1
- -MAPSReporting $false
- -MAPSReporting 0
- -drdsc $true
- -drdsc 1
- -drtm $true
- -drtm 1
- -dscrptsc $true
- -dscrptsc 1
- -dsmndf $true
- -dsmndf 1
- -dsnf $true
- -dsnf 1
- -dss $true
- -dss 1
selection_options_disabling_preference:
ScriptBlockText|contains: Set-MpPreference
selection_other_default_actions_allow:
ScriptBlockText|contains: Set-MpPreference
selection_other_default_actions_func:
ScriptBlockText|contains:
- HighThreatDefaultAction Allow
- htdefac Allow
- LowThreatDefaultAction Allow
- ltdefac Allow
- ModerateThreatDefaultAction Allow
- mtdefac Allow
- SevereThreatDefaultAction Allow
- stdefac Allow