detection.wiki

Detection rules › Sigma

Disable Windows Defender AV Security Monitoring

Severity
high
Author
ok @securonix invrep-de, oscd.community, frack113
Source
upstream

Detects attackers attempting to disable Windows Defender using Powershell

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_pwsh_binary

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll

Stage 2: all of selection_pwsh_cli

or:
CommandLine|contains: '-DisableBehaviorMonitoring $true'
CommandLine|contains: '-DisableRuntimeMonitoring $true'

Stage 3: selection_sc_binary

or:
Image|endswith: '\sc.exe'
OriginalFileName: sc.exe

Stage 4: 1 of selection_sc_tamper_cmd_stop

CommandLine|contains: WinDefend
CommandLine|contains: stop

Stage 5: 1 of selection_sc_tamper_cmd_delete

CommandLine|contains: WinDefend
CommandLine|contains: delete

Stage 6: 1 of selection_sc_tamper_cmd_disabled

CommandLine|contains: WinDefend
CommandLine|contains: config
CommandLine|contains: 'start=disabled'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -DisableBehaviorMonitoring $true
  • -DisableRuntimeMonitoring $true
  • WinDefend corpus 2 (sigma 2)
  • config corpus 8 (sigma 8)
  • delete corpus 7 (sigma 7)
  • start=disabled corpus 2 (sigma 2)
  • stop
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
  • \sc.exe corpus 17 (sigma 17)
OriginalFileNameeq
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)
  • sc.exe corpus 10 (sigma 10)