TTP Detection Rule: Abusing PowerShell to disable Defender components
Ttp T1562 001 Disabledefender
Query
//Detection opportunity 3: Abusing PowerShell to disable Defender components
DeviceProcessEvents
| where FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Add-MpPreference","Set-MpPreference") and ProcessCommandLine has_any ("ExclusionProcess","ExclusionPath")About this query
Explanation
This query is designed to detect potential security threats by identifying instances where PowerShell is used to modify Windows Defender settings. Specifically, it looks for processes where PowerShell is executed with commands that add or set preferences related to excluding certain files or processes from being scanned by Windows Defender. This behavior is often associated with malicious actors trying to disable or bypass security measures to avoid detection of their malware or unauthorized activities. The query is relevant for detecting threats from groups like FIN7, ZLoader, and FakeBat, which have been known to use such techniques.
