LoFP LoFP / limited false positives. however, tune based on scripts that may perform this action.

Techniques

Sample rules

Powershell Defender Threat Actions Set to Allow

Description

The following analytic detects the setting of the Windows Defender Threat Actions to allow. It leverages data from the Endpoint.Processes data model, specifically monitoring the execution of the Set-MpPreference cmdlet with the -HighThreatDefaultAction, -ModerateThreatDefaultAction, -LowThreatDefaultAction, and -SevereThreatDefaultAction parameters set to 6. This activity is significant because it is commonly used by malware such as RATs, bots, or Trojans to evade detection by allowing threats to pass through the Windows Defender antivirus engine. If confirmed malicious, this action could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential data exfiltration, further system compromise, or persistent access within the environment.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
Processes.process="*Set-MpPreference*"
(
  Processes.process IN (
    "*-HighThreatDefaultAction*",
    "*-ModerateThreatDefaultAction*",
    "*-LowThreatDefaultAction*",
    "*-SevereThreatDefaultAction*"
  )
  Processes.process IN (
    "* 6*"
  )
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
   Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `powershell_defender_threat_actions_set_to_allow_filter`

Powershell Disable Security Monitoring

Description

The following analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands. It detects the use of specific Set-MpPreference parameters that disable various security features. This activity is significant as it is commonly used by malware such as RATs, bots, or Trojans to evade detection by disabling antivirus protections. If confirmed malicious, this action could allow an attacker to operate undetected, leading to potential data exfiltration, further system compromise, or persistent access within the environment.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
Processes.process="*Set-MpPreference*"
(
  Processes.process IN (
    "*DisableArchiveScanning*",
    "*DisableBehaviorMonitoring*",
    "*DisableBlockAtFirstSeen*",
    "*DisableCatchupFullScan*",
    "*DisableCatchupQuickScan*",
    "*DisableIOAVProtection*",
    "*DisableRealtimeMonitoring*",
    "*DisableRemovableDriveScanning*",
    "*DisableRestorePoint*",
    "*DisableScanningMappedNetworkDrivesForFullScan*",
    "*DisableScanningNetworkFiles*",
    "*DisableScriptScanning*",
    "*drdsc*",
    "*dsnf *",
    "*drtm *",
    "*dioavp *",
    "*dscrptsc *",
    "*dbaf *",
    "*darchsc *",
    "*dcfsc *",
    "*dbm *"
  )
  Processes.process IN (
    "* $true*",
    "* 1*"
  )
)
OR
(
  Processes.process = "*PUAProtection*"
  Processes.process = "*disable*"
)
OR
(
  Processes.process = "*CloudBlockLevel*"
  Processes.process IN (
    "* $false*",
    "* 0*"
  )
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
   Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `powershell_disable_security_monitoring_filter`