LoFP / planned windows defender configuration changes.

Techniques

Sample rules

Disabling Windows Defender Security Settings via PowerShell

source: elastic
technicques:
- T1059
- T1562

Description

Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  (
    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
  ) and
  process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")