From b3b5b2cbdd1bdda3385f068c1dff78216773f2cd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 3 Mar 2022 13:53:06 +0100 Subject: [PATCH] refactor: PowerShell Defender modifications --- .../posh_ps_tamper_defender.yml | 3 +- ...in_powershell_defender_disable_feature.yml | 46 +++++++++++++++++++ ...tion_win_powershell_defender_exclusion.yml | 11 +++-- 3 files changed, 54 insertions(+), 6 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index 170af32d9..e38c1b28b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -24,10 +24,11 @@ detection: - DisableBehaviorMonitoring - DisableScriptScanning - DisableBlockAtFirstSeen + - DisableIOAVProtection condition: selection falsepositives: - Legitimate PowerShell scripts -level: medium +level: high tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml new file mode 100644 index 000000000..f3b4297b9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml @@ -0,0 +1,46 @@ +title: Powershell Defender Disable Scan Feature +id: 1ec65a5f-9473-4f12-97da-622044d6df21 +status: experimental +description: Detects requests to disable Microsoft Defender features using PowerShell commands +references: + - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps + - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE + - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files +tags: + - attack.defense_evasion + - attack.t1562.001 +author: Florian Roth +date: 2022/03/03 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - 'Add-MpPreference ' + - 'Set-MpPreference ' + selection2: + CommandLine|contains: + - 'DisableRealtimeMonitoring ' + - 'DisableIOAVProtection ' + - 'DisableBehaviorMonitoring ' + - 'DisableBlockAtFirstSeen ' + selection3: + CommandLine|contains: + - '$true' + - ' 1 ' + encoded_command: + CommandLine|base64offset|contains: + - 'DisableRealtimeMonitoring ' + - 'DisableIOAVProtection ' + - 'DisableBehaviorMonitoring ' + - 'DisableBlockAtFirstSeen ' + - 'disablerealtimemonitoring ' + - 'disableioavprotection ' + - 'disablebehaviormonitoring ' + - 'disableblockatfirstseen ' + condition: all of selection* or encoded_command +falsepositives: + - Possible Admin Activity + - Other Cmdlets that may use the same parameters +level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml index a4878832d..14abd0e66 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -11,7 +11,7 @@ tags: - attack.t1562.001 author: Florian Roth date: 2021/04/29 -modified: 2022/01/19 +modified: 2022/03/03 logsource: category: process_creation product: windows @@ -26,10 +26,11 @@ detection: - ' -ExclusionExtension ' - ' -ExclusionProcess ' selection_encoded: - CommandLine|contains: - - 'QWRkLU1wUHJlZmVyZW5jZ' - - 'FkZC1NcFByZWZlcmVuY2' - - 'BZGQtTXBQcmVmZXJlbmNl' + CommandLine|base64offset|contains: + - 'Add-MpPreference ' + - 'Set-MpPreference ' + - 'add-mppreference ' + - 'set-mppreference ' condition: ( selection1 and selection2 ) or selection_encoded falsepositives: - Possible Admin Activity