minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.

t1562
t1562.001
windows
sigma

Techniques

t1562
t1562.001

Sample rules

Disable Windows Defender AV Security Monitoring

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects attackers attempting to disable Windows Defender using Powershell

Detection logic

condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
selection_pwsh_binary:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll
selection_pwsh_cli:
  CommandLine|contains:
  - -DisableBehaviorMonitoring $true
  - -DisableRuntimeMonitoring $true
selection_sc_binary:
- Image|endswith: \sc.exe
- OriginalFileName: sc.exe
selection_sc_tamper_cmd_delete:
  CommandLine|contains|all:
  - delete
  - WinDefend
selection_sc_tamper_cmd_disabled:
  CommandLine|contains|all:
  - config
  - WinDefend
  - start=disabled
selection_sc_tamper_cmd_stop:
  CommandLine|contains|all:
  - stop
  - WinDefend