Disabling Windows Defender Security Settings via PowerShell
This rule detects the use of the Set-MpPreference PowerShell command to disable or weaken Windows Defender settings, a common defense evasion tactic.
This detection identifies the execution of PowerShell commands using Set-MpPreference to disable or weaken Windows Defender settings. Attackers commonly employ this technique to impair defenses and evade detection. The rule focuses on commands that modify settings related to disabling real-time monitoring, disabling cloud-delivered protection, adding exclusions, or preventing sample submission. This activity is often a precursor to malware deployment or other malicious activities. Monitoring for this activity is important as threat actors frequently attempt to disable or weaken endpoint security tools to operate with less friction. This detection is relevant across various Windows environments where Windows Defender is utilized as a primary antivirus solution. The rule leverages endpoint, system, and Windows event logs, as well as data from Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike.
Attack Chain
- The attacker gains initial access to the system (e.g., via compromised credentials or exploiting a vulnerability).
- The attacker executes a PowerShell script, or directly enters PowerShell commands, using
powershell.exe,pwsh.exe, orpowershell_ise.exe. - The PowerShell command invokes
Set-MpPreferenceto modify Windows Defender settings. - Specific arguments are used with
Set-MpPreferenceto disable real-time monitoring (e.g.,-DisableRealtimeMonitoring $true). - Additional arguments might be used to disable cloud-delivered protection (e.g.,
-DisableCloudDeliveredProtection $true) or to configure exclusions. - The attacker may also disable sample submission with arguments such as
-SubmitSamplesConsent NeverSend. - With Windows Defender weakened or disabled, the attacker proceeds to deploy malware, execute malicious code, or perform other malicious activities.
- The attacker achieves their objective, such as data theft, ransomware deployment, or establishing persistence.
Impact
Successful execution of these commands results in a weakened security posture, making the system more vulnerable to malware and other attacks. A disabled or weakened Windows Defender allows malware to execute without interference, increasing the risk of data breach, system compromise, and other adverse outcomes. While the number of impacted systems can vary, any successful attempt to disable Windows Defender on even a single endpoint represents a significant risk. Organizations that rely on Windows Defender as a primary security control are particularly at risk.
Recommendation
- Enable Sysmon process creation logging to detect PowerShell execution with relevant command-line arguments, which will activate the rules below.
- Deploy the Sigma rules provided to detect the use of
Set-MpPreferencewith arguments to disable or weaken Windows Defender. - Investigate any alerts generated by the provided Sigma rules to determine whether the activity is authorized.
- Monitor for unexpected or unauthorized modifications to Windows Defender settings to prevent attackers from disabling security features.
Detection coverage 2
Detect PowerShell Disabling Windows Defender via Set-MpPreference
mediumDetects PowerShell commands using Set-MpPreference to disable Windows Defender features.
Detect PowerShell Setting Windows Defender Exclusion via Set-MpPreference
mediumDetects PowerShell commands using Set-MpPreference to set Windows Defender Exclusions.
Detection queries are available on the platform. Get full rules →