T1562.001 Impair Defenses Disable or Modify Tools Defender Disabling or Exclusions

T1562.001 - Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions

DESCRIPTION

This query detects attempts to disable defender or it detects attempts to add exclusions.

Example:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Set-MpPreference -ExclusionPath ‘C:\’

Related

Malware, Ransomware

Reference:

https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml#L24

ATT&CK TACTICS

T1562.001 - Impair Defenses: Disable or Modify Tools

Data Source(s): Command

SENTINEL RULE QUERY

let selection_1 = dynamic(['Set-MpPreference ', 'Add-MpPreference ']);
let selection_2 = dynamic([' -ExclusionPath ', ' -ExclusionExtension ', ' -ExclusionProcess ', ' -ExclusionIpAddress ']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any (selection_1) and ProcessCommandLine has_any (selection_2)
| where InitiatingProcessFileName <> "JetBrains.Rider.AfterInstall.exe" and InitiatingProcessVersionInfoCompanyName <> "JetBrains" //Exclude JetBrains auto-exclusion
//| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine 

Triage

1. Inspect if the activities were expected and approved. It may be performed by an admin or part of service installation
2. Validate the initiating process, and location of the executables.

FalsePositive

1. Jetbrains excluding itself from Defender during installation process.

VERSION

Version 2.0 (date: 08/02/2024)