Techniques
Sample rules
Powershell Disable Security Monitoring
- source: splunk
- technicques:
- T1562.001
Description
The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific Set-MpPreference parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="*set-mppreference*" AND Processes.process IN ("*disablerealtimemonitoring*","*DisableScanningNetworkFiles*","*DisableScanningMappedNetworkDrivesForFullScan*","*DisableRemovableDriveScanning*","*DisableArchiveScanning*","*DisableCatchupFullScan*","*DisableCatchupQuickScan*","*disableioavprotection*","*disableintrusionpreventionsystem*","*disablescriptscanning*","*disableblockatfirstseen*","*DisableBehaviorMonitoring*","*MAPSReporting*","*drdsc *","*dsnf *","*drtm *","*dioavp *","*dscrptsc *","*dbaf *","*dbm *","*dips *") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_disable_security_monitoring_filter`