Detection rules › Splunk
Windows Defender Disabled Detection (PowerShell)
An attacker could disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software, real-time monitoring or Windows Defender Service
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.001 Impair Defenses: Disable or Modify Tools |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '1044.1070'
title: Windows Defender Disabled Detection
description: 'An attacker could disable security tools to avoid possible detection
of their tools and activities. This can take the form of killing security software,
real-time monitoring or Windows Defender Service. -- Threat Actor Association: FIN6,
FIN11, Magic Hound (aka APT35, Charming Kitten, Phosphorus, and Mint Sandstorm),
Vice Society, Wizard Spider -- Software Association: Bazarloader, BianLian, Blackbyte,
Black Basta, Clop, Conti, DirtyMoe, Lockbit, Sodinokibi/REvil, Vice Society, WhisperGates
-- #TrendingThreat #Russia #Ukraine - Atomics T1588.002 Test #1'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` TERM(EventCode=4104) AND
((TERM(-DisableRealtimeMonitoring) OR TERM(-drtm)) AND TERM(true)) OR ((TERM(REG)
OR "reg.exe") TERM(ADD) "windows defender" TERM(DisableAntiSpyware) "/d 1") OR ((TERM(sc)
OR TERM(net) OR TERM(net1) OR "sc.exe" OR "net.exe" OR TERM(Stop-Service)) TERM(windows)
TERM(defender)) | table _time, host, user process, process_*, singature_id | bin
span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:impair defenses:disable or modify tools
technique_id:
- T1562.001
data_category:
- PowerShell logs
- Process command-line parameters
references:
- https://github.com/swagkarna/Defeat-Defender
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` TERM(EventCode=4104) AND ((TERM(-DisableRealtimeMonitoring) OR TERM(-drtm)) AND TERM(true)) OR ((TERM(REG) OR "reg.exe") TERM(ADD) "windows defender" TERM(DisableAntiSpyware) "/d 1") OR ((TERM(sc) OR TERM(net) OR TERM(net1) OR "sc.exe" OR "net.exe" OR TERM(Stop-Service)) TERM(windows) TERM(defender))
Stage 2: table
| table _time, host, user process, process_*, singature_id
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "-DisableRealtimeMonitoring" |
| 1 | "-drtm" |
| 1 | TERM |
| 1 | true |
| 1 | TERM |
| 1 | REG |
| 1 | "reg.exe" |
| 1 | TERM |
| 1 | ADD |
| 1 | "windows defender" |
| 1 | TERM |
| 1 | DisableAntiSpyware |
| 1 | "/d 1" |
| 1 | TERM |
| 1 | sc |
| 1 | TERM |
| 1 | net |
| 1 | TERM |
| 1 | net1 |
| 1 | "sc.exe" |
| 1 | "net.exe" |
| 1 | "Stop-Service" |
| 1 | TERM |
| 1 | windows |
| 1 | TERM |
| 1 | defender |