Techniques
Sample rules
Powershell Defender Threat Actions Set to Allow
- source: splunk
- technicques:
Description
The following analytic detects the setting of the Windows Defender Threat Actions to allow. It leverages data from the Endpoint.Processes data model, specifically monitoring the execution of the Set-MpPreference cmdlet with the -HighThreatDefaultAction, -ModerateThreatDefaultAction, -LowThreatDefaultAction, and -SevereThreatDefaultAction parameters set to 6. This activity is significant because it is commonly used by malware such as RATs, bots, or Trojans to evade detection by allowing threats to pass through the Windows Defender antivirus engine. If confirmed malicious, this action could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential data exfiltration, further system compromise, or persistent access within the environment.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
Processes.process="*Set-MpPreference*"
(
Processes.process IN (
"*-HighThreatDefaultAction*",
"*-ModerateThreatDefaultAction*",
"*-LowThreatDefaultAction*",
"*-SevereThreatDefaultAction*"
)
Processes.process IN (
"* 6*"
)
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_defender_threat_actions_set_to_allow_filter`
Powershell Disable Security Monitoring
- source: splunk
- technicques:
Description
The following analytic identifies attempts to disable Windows Defender
real-time behavior monitoring via PowerShell commands. It detects the use of specific
Set-MpPreference parameters that disable various security features. This activity
is significant as it is commonly used by malware such as RATs, bots, or Trojans
to evade detection by disabling antivirus protections. If confirmed malicious, this
action could allow an attacker to operate undetected, leading to potential data
exfiltration, further system compromise, or persistent access within the environment.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
Processes.process="*Set-MpPreference*"
(
Processes.process IN (
"*DisableArchiveScanning*",
"*DisableBehaviorMonitoring*",
"*DisableBlockAtFirstSeen*",
"*DisableCatchupFullScan*",
"*DisableCatchupQuickScan*",
"*DisableIOAVProtection*",
"*DisableRealtimeMonitoring*",
"*DisableRemovableDriveScanning*",
"*DisableRestorePoint*",
"*DisableScanningMappedNetworkDrivesForFullScan*",
"*DisableScanningNetworkFiles*",
"*DisableScriptScanning*",
"*drdsc*",
"*dsnf *",
"*drtm *",
"*dioavp *",
"*dscrptsc *",
"*dbaf *",
"*darchsc *",
"*dcfsc *",
"*dbm *"
)
Processes.process IN (
"* $true*",
"* 1*"
)
)
OR
(
Processes.process = "*PUAProtection*"
Processes.process = "*disable*"
)
OR
(
Processes.process = "*CloudBlockLevel*"
Processes.process IN (
"* $false*",
"* 0*"
)
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_disable_security_monitoring_filter`