Detection rules › Sigma
Tamper Windows Defender - PSClassic
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 600 |
Stages and Predicates
Stage 1: selection_set_mppreference
Data|contains: Set-MpPreference
Stage 2: 1 of selection_options_bool_allow
or:
Data|contains: '-DisableArchiveScanning $true'
Data|contains: '-DisableArchiveScanning 1'
Data|contains: '-DisableBehaviorMonitoring $true'
Data|contains: '-DisableBehaviorMonitoring 1'
Data|contains: '-DisableBlockAtFirstSeen $true'
Data|contains: '-DisableBlockAtFirstSeen 1'
Data|contains: '-DisableCatchupFullScan $true'
Data|contains: '-DisableCatchupFullScan 1'
Data|contains: '-DisableCatchupQuickScan $true'
Data|contains: '-DisableCatchupQuickScan 1'
Data|contains: '-DisableIOAVProtection $true'
Data|contains: '-DisableIOAVProtection 1'
Data|contains: '-DisableIntrusionPreventionSystem $true'
Data|contains: '-DisableIntrusionPreventionSystem 1'
Data|contains: '-DisableRealtimeMonitoring $true'
Data|contains: '-DisableRealtimeMonitoring 1'
Data|contains: '-DisableRemovableDriveScanning $true'
Data|contains: '-DisableRemovableDriveScanning 1'
Data|contains: '-DisableScanningMappedNetworkDrivesForFullScan $true'
Data|contains: '-DisableScanningMappedNetworkDrivesForFullScan 1'
Data|contains: '-DisableScanningNetworkFiles $true'
Data|contains: '-DisableScanningNetworkFiles 1'
Data|contains: '-DisableScriptScanning $true'
Data|contains: '-DisableScriptScanning 1'
Data|contains: '-MAPSReporting $false'
Data|contains: '-MAPSReporting 0'
Data|contains: '-dbaf $true'
Data|contains: '-dbaf 1'
Data|contains: '-dbm $true'
Data|contains: '-dbm 1'
Data|contains: '-dips $true'
Data|contains: '-dips 1'
Data|contains: '-drdsc $true'
Data|contains: '-drdsc 1'
Data|contains: '-drtm $true'
Data|contains: '-drtm 1'
Data|contains: '-dscrptsc $true'
Data|contains: '-dscrptsc 1'
Data|contains: '-dsmndf $true'
Data|contains: '-dsmndf 1'
Data|contains: '-dsnf $true'
Data|contains: '-dsnf 1'
Data|contains: '-dss $true'
Data|contains: '-dss 1'
Stage 3: 1 of selection_options_actions_func
or:
Data|contains: 'HighThreatDefaultAction Allow'
Data|contains: 'LowThreatDefaultAction Allow'
Data|contains: 'ModerateThreatDefaultAction Allow'
Data|contains: 'SevereThreatDefaultAction Allow'
Data|contains: 'htdefac Allow'
Data|contains: 'ltdefac Allow'
Data|contains: 'mtdefac Allow'
Data|contains: 'stdefac Allow'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Data | match |
|