LoFP LoFP / limited false positives. however, tune based on scripts that may perform this action.

Techniques

Sample rules

Powershell Disable Security Monitoring

Description

The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific Set-MpPreference parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
Processes.process="*Set-MpPreference*"
(
  Processes.process IN (
    "*DisableArchiveScanning*",
    "*DisableBehaviorMonitoring*",
    "*DisableBlockAtFirstSeen*",
    "*DisableCatchupFullScan*",
    "*DisableCatchupQuickScan*",
    "*DisableIOAVProtection*",
    "*DisableRealtimeMonitoring*",
    "*DisableRemovableDriveScanning*",
    "*DisableRestorePoint*",
    "*DisableScanningMappedNetworkDrivesForFullScan*",
    "*DisableScanningNetworkFiles*",
    "*DisableScriptScanning*",
    "*drdsc*",
    "*dsnf *",
    "*drtm *",
    "*dioavp *",
    "*dscrptsc *",
    "*dbaf *",
    "*darchsc *",
    "*dcfsc *",
    "*dbm *"
  )
  Processes.process IN (
    "* $true*",
    "* 1*"
  )
)
OR
(
  Processes.process = "*PUAProtection*"
  Processes.process = "*disable*"
)
OR
(
  Processes.process = "*CloudBlockLevel*"
  Processes.process IN (
    "* $false*", 
    "* 0*"
  )
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
   Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `powershell_disable_security_monitoring_filter`