Techniques
Sample rules
Powershell Disable Security Monitoring
- source: splunk
- technicques:
- T1562.001
- T1562
Description
This search identifies a modification in registry to disable the windows defender real time behavior monitoring. This event or technique is commonly seen in RATs, bots, or Trojans to disable AV to evade detections.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_powershell` Processes.process="*set-mppreference*" AND Processes.process IN ("*disablerealtimemonitoring*","*disableioavprotection*","*disableintrusionpreventionsystem*","*disablescriptscanning*","*disableblockatfirstseen*","*DisableBehaviorMonitoring*","*drtm *","*dioavp *","*dscrptsc *","*dbaf *","*dbm *") by Processes.dest Processes.user Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_disable_security_monitoring_filter`