refactor: PowerShell Defender modifications

rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml

@@ -24,10 +24,11 @@ detection:
             - DisableBehaviorMonitoring
             - DisableScriptScanning
             - DisableBlockAtFirstSeen
+            - DisableIOAVProtection
     condition: selection
 falsepositives:
     - Legitimate PowerShell scripts
-level: medium
+level: high
 tags:
     - attack.defense_evasion
     - attack.t1562.001

rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml

@@ -0,0 +1,46 @@
+title: Powershell Defender Disable Scan Feature
+id: 1ec65a5f-9473-4f12-97da-622044d6df21
+status: experimental
+description: Detects requests to disable Microsoft Defender features using PowerShell commands
+references:
+    - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
+    - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE
+    - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+author: Florian Roth
+date: 2022/03/03
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        CommandLine|contains: 
+            - 'Add-MpPreference '
+            - 'Set-MpPreference '
+    selection2:
+        CommandLine|contains:
+            - 'DisableRealtimeMonitoring '
+            - 'DisableIOAVProtection '
+            - 'DisableBehaviorMonitoring '
+            - 'DisableBlockAtFirstSeen '
+    selection3:
+        CommandLine|contains:
+            - '$true'
+            - ' 1 '
+    encoded_command:
+        CommandLine|base64offset|contains:
+            - 'DisableRealtimeMonitoring '
+            - 'DisableIOAVProtection '
+            - 'DisableBehaviorMonitoring '
+            - 'DisableBlockAtFirstSeen '
+            - 'disablerealtimemonitoring '
+            - 'disableioavprotection '
+            - 'disablebehaviormonitoring '
+            - 'disableblockatfirstseen '
+    condition: all of selection* or encoded_command
+falsepositives:
+    - Possible Admin Activity
+    - Other Cmdlets that may use the same parameters
+level: high

rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml

@@ -11,7 +11,7 @@ tags:
     - attack.t1562.001
 author: Florian Roth
 date: 2021/04/29
-modified: 2022/01/19
+modified: 2022/03/03
 logsource:
     category: process_creation
     product: windows
@@ -26,10 +26,11 @@ detection:
             - ' -ExclusionExtension '
             - ' -ExclusionProcess '
     selection_encoded:
-        CommandLine|contains:
-            - 'QWRkLU1wUHJlZmVyZW5jZ'
-            - 'FkZC1NcFByZWZlcmVuY2'
-            - 'BZGQtTXBQcmVmZXJlbmNl'
+        CommandLine|base64offset|contains:
+            - 'Add-MpPreference '
+            - 'Set-MpPreference '
+            - 'add-mppreference '
+            - 'set-mppreference '
     condition: ( selection1 and selection2 ) or selection_encoded
 falsepositives:
     - Possible Admin Activity