kqlElastic-2.0from elastic/detection-rules
PowerShell Script with Windows Defender Tampering Capabilities
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/defense_evasion_posh_defender_tampering.toml
event.category: "process" and host.os.type:windows and
(
powershell.file.script_block_text: "Set-MpPreference" and
powershell.file.script_block_text: (
DisableArchiveScanning or DisableBehaviorMonitoring or
DisableIntrusionPreventionSystem or DisableIOAVProtection or
DisableRemovableDriveScanning or DisableBlockAtFirstSeen or
DisableScanningMappedNetworkDrivesForFullScan or
DisableScanningNetworkFiles or DisableScriptScanning or
DisableRealtimeMonitoring or LowThreatDefaultAction or
ModerateThreatDefaultAction or HighThreatDefaultAction
)
) and
not powershell.file.script_block_text : (
("cmdletization" and "cdxml-Help.xml") or
("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType")
) and
not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM" and
not user.id : "S-1-5-18"