T1562.001 Impair Defenses Disable or Modify Tools Defender Disabling or Exclusions
T1562.001 - Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions¶
DESCRIPTION¶
This query detects attempts to disable defender or it detects attempts to add exclusions.
Example:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Set-MpPreference -ExclusionPath ‘C:\’
Related
Malware, Ransomware
Reference:
https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml#L24
ATT&CK TACTICS¶
T1562.001 - Impair Defenses: Disable or Modify Tools
Data Source(s): Command
SENTINEL RULE QUERY¶
let selection_1 = dynamic(['Set-MpPreference ', 'Add-MpPreference ']);
let selection_2 = dynamic([' -ExclusionPath ', ' -ExclusionExtension ', ' -ExclusionProcess ', ' -ExclusionIpAddress ']);
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine has_any (selection_1) and ProcessCommandLine has_any (selection_2)
| where InitiatingProcessFileName <> "JetBrains.Rider.AfterInstall.exe" and InitiatingProcessVersionInfoCompanyName <> "JetBrains" //Exclude JetBrains auto-exclusion
//| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine
Triage¶
- Inspect if the activities were expected and approved. It may be performed by an admin or part of service installation
- Validate the initiating process, and location of the executables.
FalsePositive¶
- Jetbrains excluding itself from Defender during installation process.
VERSION¶
Version 2.0 (date: 08/02/2024)