Query Details

TTP Detection Rule: Abusing PowerShell to disable Defender components

Ttp T1562 001 Disabledefender

Query

//Detection opportunity 3: Abusing PowerShell to disable Defender components
DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Add-MpPreference","Set-MpPreference") and ProcessCommandLine has_any ("ExclusionProcess","ExclusionPath")

About this query

Explanation

This query is designed to detect potential security threats by identifying instances where PowerShell is used to modify Windows Defender settings. Specifically, it looks for processes where PowerShell is executed with commands that add or set preferences related to excluding certain files or processes from being scanned by Windows Defender. This behavior is often associated with malicious actors trying to disable or bypass security measures to avoid detection of their malware or unauthorized activities. The query is relevant for detecting threats from groups like FIN7, ZLoader, and FakeBat, which have been known to use such techniques.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsPowerShellDefenderComponents

Operators

|where=~andhas_any

MITRE Techniques

Actions

GitHub