Note: You are viewing an old, archived version of this content. The latest version is available in the 'main' branch.
ID: T1562-WIN-001
Last Modified: 12/03/2021
Author: FalconForce
License: BSD 3-Clause License
References: Link to medium post
Tactic: Defense Evasion
Technique: Impair Defenses: Disable or Modify Tools (T1562.001)
Some attackers disabled the local security solution installed of their victim in order to get their implant to work. Although more sophisticated attackers usually avoid such actions, it still happens a lot in the wild. This detection is aimed at finding sloppy attackers that disable Defender AV using a few very common ways. This detection is aimed to be a early indicator of malicious activity.
Administrator
The detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed
by @olafhartong on a large sample of malware for varying purposes. Note that this detection is imperfect and only meant to serve as basis to build a more resilient detection rule. See the Improvements
section below on which improvements we recommend you to implement.
Event ID | Event Name | Log Provider | ATT&CK Data Source |
---|---|---|---|
- | DeviceProcessEvents | MDE | Process monitoring |
FP Rate: Low
Source: MDE
Description: See above
Query:
let defendertampering=dynamic(["Set-MpPreference -DisableRealtimeMonitoring $true","sc stop WinDefend","sc delete WinDefend","Set-MpPreference -DisableBehaviorMonitoring $true","Set-MpPreference -ExclusionProcess", "Set-MpPreference -ExclusionExtension dll","net stop security center"]);
DeviceProcessEvents
| where ProcessCommandLine has_any (defendertampering)
// If you have a lot of FPs coming from JetBrains, you can use the line below
//| where InitiatingProcessFolderPath !startswith @"c:\program files\jetbrains\" and InitiatingProcessVersionInfoProductName !~ ("Android Studio")
- Some software behaves weirdly, we've at least identified that JetBrains and Android Studio are behaving oddly. Not sure why, yet. Perhaps I should stop using JetBrains?
- Make the detection more resilient, currently the order of parameters matters. You don't want that for a production rule. See blogpost for more resilience considerations.
- The current approach can easily be bypassed by not using the
powershell.exe
executable. Consider adding more ways to detect this behavior.
- So far, we've only observed JetBrains software and Android Studio.
- Usage of
System.Management.Automation.dll
for running powershell - Modifying registry keys directly, without using powershell/cmd.
- Use of Win32 APIs to manipulate the services and setting of Defender AV.