PowerShell Used to Disable Windows Defender Security Monitoring
This analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands using `Set-MpPreference`, commonly used by malware to evade detection and potentially leading to data exfiltration or system compromise.
This brief focuses on the abuse of PowerShell to disable Windows Defender's security monitoring features. Attackers, including malware such as Remote Access Trojans (RATs), bots, and Trojans, leverage this technique to evade detection and establish a persistent foothold within compromised systems. The activity is detected by monitoring for specific Set-MpPreference parameters within PowerShell command lines that disable real-time monitoring, archive scanning, and other key security features. This allows attackers to operate undetected, potentially leading to data exfiltration, further system compromise, or persistent access within the environment. The technique is described in the Atomic Red Team test T1562.001.
Attack Chain
- The attacker gains initial access to the system (potentially via phishing or exploiting a vulnerability).
- The attacker executes PowerShell with elevated privileges.
- PowerShell invokes the
Set-MpPreferencecmdlet to modify Windows Defender settings. - Specific parameters like
DisableRealtimeMonitoring,DisableBehaviorMonitoring, orDisableIOAVProtectionare used with a value of$trueor1. - Windows Defender's real-time monitoring and behavior analysis are disabled, reducing the system's defenses.
- The attacker deploys malware, such as a RAT, bot, or Trojan, to the compromised system.
- The malware operates without being detected by Windows Defender, performing actions like data exfiltration.
- The attacker maintains persistence on the system, potentially escalating privileges and moving laterally within the network.
Impact
A successful attack can lead to complete compromise of the targeted system. Disabling Windows Defender allows malware to operate freely, resulting in data exfiltration, ransomware deployment, or the establishment of a persistent backdoor. The incident could affect individual workstations as well as critical servers within the network. This could lead to financial losses, reputational damage, and regulatory penalties.
Recommendation
- Deploy the Sigma rule
Powershell Disable Security Monitoring via Set-MpPreferenceto detect PowerShell commands attempting to disable Windows Defender features (seerulessection). - Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to provide necessary data for the detections.
- Review and tune the
powershell_disable_security_monitoring_filtermacro to reduce false positives in your environment. - Investigate any alerts triggered by the Sigma rule, focusing on the
Processes.parent_processandProcesses.userto identify the source of the malicious activity. - Monitor endpoint processes for unusual PowerShell activity, specifically commands containing
Set-MpPreferenceand related parameters.
Detection coverage 2
Powershell Disable Security Monitoring via Set-MpPreference
highDetects PowerShell commands that attempt to disable Windows Defender's real-time monitoring features using Set-MpPreference.
Powershell Disable PUA Protection
mediumDetects PowerShell commands that attempt to disable Windows Defender's PUAProtection feature using Set-MpPreference.
Detection queries are available on the platform. Get full rules →