forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_posh_defender_tampering.toml
104 lines (88 loc) · 3.24 KB
/
defense_evasion_posh_defender_tampering.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
[metadata]
bypass_bbr_timing = true
creation_date = "2024/09/11"
integration = ["windows"]
maturity = "production"
updated_date = "2025/01/13"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
[rule]
author = ["Elastic"]
description = """
Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender
features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-windows.powershell*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Script with Windows Defender Tampering Capabilities"
risk_score = 21
rule_id = "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6"
setup = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "query"
building_block_type = "default"
query = '''
event.category: "process" and host.os.type:windows and
(
powershell.file.script_block_text: "Set-MpPreference" and
powershell.file.script_block_text: (
DisableArchiveScanning or DisableBehaviorMonitoring or
DisableIntrusionPreventionSystem or DisableIOAVProtection or
DisableRemovableDriveScanning or DisableBlockAtFirstSeen or
DisableScanningMappedNetworkDrivesForFullScan or
DisableScanningNetworkFiles or DisableScriptScanning or
DisableRealtimeMonitoring or LowThreatDefaultAction or
ModerateThreatDefaultAction or HighThreatDefaultAction
)
) and
not powershell.file.script_block_text : (
("cmdletization" and "cdxml-Help.xml") or
("function Set-MpPreference" and "Microsoft.PowerShell.Cmdletization.GeneratedTypes.MpPreference.SubmitSamplesConsentType")
) and
not file.directory : "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\SenseCM"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"