Skip to content
Threat Feed
high advisory

PowerShell Used to Disable Windows Defender Security Monitoring

This analytic identifies attempts to disable Windows Defender real-time behavior monitoring via PowerShell commands using `Set-MpPreference`, commonly used by malware to evade detection and potentially leading to data exfiltration or system compromise.

This brief focuses on the abuse of PowerShell to disable Windows Defender's security monitoring features. Attackers, including malware such as Remote Access Trojans (RATs), bots, and Trojans, leverage this technique to evade detection and establish a persistent foothold within compromised systems. The activity is detected by monitoring for specific Set-MpPreference parameters within PowerShell command lines that disable real-time monitoring, archive scanning, and other key security features. This allows attackers to operate undetected, potentially leading to data exfiltration, further system compromise, or persistent access within the environment. The technique is described in the Atomic Red Team test T1562.001.

Attack Chain

  1. The attacker gains initial access to the system (potentially via phishing or exploiting a vulnerability).
  2. The attacker executes PowerShell with elevated privileges.
  3. PowerShell invokes the Set-MpPreference cmdlet to modify Windows Defender settings.
  4. Specific parameters like DisableRealtimeMonitoring, DisableBehaviorMonitoring, or DisableIOAVProtection are used with a value of $true or 1.
  5. Windows Defender's real-time monitoring and behavior analysis are disabled, reducing the system's defenses.
  6. The attacker deploys malware, such as a RAT, bot, or Trojan, to the compromised system.
  7. The malware operates without being detected by Windows Defender, performing actions like data exfiltration.
  8. The attacker maintains persistence on the system, potentially escalating privileges and moving laterally within the network.

Impact

A successful attack can lead to complete compromise of the targeted system. Disabling Windows Defender allows malware to operate freely, resulting in data exfiltration, ransomware deployment, or the establishment of a persistent backdoor. The incident could affect individual workstations as well as critical servers within the network. This could lead to financial losses, reputational damage, and regulatory penalties.

Recommendation

  • Deploy the Sigma rule Powershell Disable Security Monitoring via Set-MpPreference to detect PowerShell commands attempting to disable Windows Defender features (see rules section).
  • Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to provide necessary data for the detections.
  • Review and tune the powershell_disable_security_monitoring_filter macro to reduce false positives in your environment.
  • Investigate any alerts triggered by the Sigma rule, focusing on the Processes.parent_process and Processes.user to identify the source of the malicious activity.
  • Monitor endpoint processes for unusual PowerShell activity, specifically commands containing Set-MpPreference and related parameters.

Detection coverage 2

Powershell Disable Security Monitoring via Set-MpPreference

high

Detects PowerShell commands that attempt to disable Windows Defender's real-time monitoring features using Set-MpPreference.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, windows

Powershell Disable PUA Protection

medium

Detects PowerShell commands that attempt to disable Windows Defender's PUAProtection feature using Set-MpPreference.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →