Skip to content
Threat Feed
medium advisory

Disabling Windows Defender Security Settings via PowerShell

This rule detects the use of the Set-MpPreference PowerShell command to disable or weaken Windows Defender settings, a common defense evasion tactic.

This detection identifies the execution of PowerShell commands using Set-MpPreference to disable or weaken Windows Defender settings. Attackers commonly employ this technique to impair defenses and evade detection. The rule focuses on commands that modify settings related to disabling real-time monitoring, disabling cloud-delivered protection, adding exclusions, or preventing sample submission. This activity is often a precursor to malware deployment or other malicious activities. Monitoring for this activity is important as threat actors frequently attempt to disable or weaken endpoint security tools to operate with less friction. This detection is relevant across various Windows environments where Windows Defender is utilized as a primary antivirus solution. The rule leverages endpoint, system, and Windows event logs, as well as data from Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike.

Attack Chain

  1. The attacker gains initial access to the system (e.g., via compromised credentials or exploiting a vulnerability).
  2. The attacker executes a PowerShell script, or directly enters PowerShell commands, using powershell.exe, pwsh.exe, or powershell_ise.exe.
  3. The PowerShell command invokes Set-MpPreference to modify Windows Defender settings.
  4. Specific arguments are used with Set-MpPreference to disable real-time monitoring (e.g., -DisableRealtimeMonitoring $true).
  5. Additional arguments might be used to disable cloud-delivered protection (e.g., -DisableCloudDeliveredProtection $true) or to configure exclusions.
  6. The attacker may also disable sample submission with arguments such as -SubmitSamplesConsent NeverSend.
  7. With Windows Defender weakened or disabled, the attacker proceeds to deploy malware, execute malicious code, or perform other malicious activities.
  8. The attacker achieves their objective, such as data theft, ransomware deployment, or establishing persistence.

Impact

Successful execution of these commands results in a weakened security posture, making the system more vulnerable to malware and other attacks. A disabled or weakened Windows Defender allows malware to execute without interference, increasing the risk of data breach, system compromise, and other adverse outcomes. While the number of impacted systems can vary, any successful attempt to disable Windows Defender on even a single endpoint represents a significant risk. Organizations that rely on Windows Defender as a primary security control are particularly at risk.

Recommendation

  • Enable Sysmon process creation logging to detect PowerShell execution with relevant command-line arguments, which will activate the rules below.
  • Deploy the Sigma rules provided to detect the use of Set-MpPreference with arguments to disable or weaken Windows Defender.
  • Investigate any alerts generated by the provided Sigma rules to determine whether the activity is authorized.
  • Monitor for unexpected or unauthorized modifications to Windows Defender settings to prevent attackers from disabling security features.

Detection coverage 2

Detect PowerShell Disabling Windows Defender via Set-MpPreference

medium

Detects PowerShell commands using Set-MpPreference to disable Windows Defender features.

sigma tactics: defense_evasion, execution techniques: T1059.001, T1562.001 sources: process_creation, windows

Detect PowerShell Setting Windows Defender Exclusion via Set-MpPreference

medium

Detects PowerShell commands using Set-MpPreference to set Windows Defender Exclusions.

sigma tactics: defense_evasion, execution techniques: T1059.001, T1562.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →