Powershell Disable Security Monitoring

Rule added on 20th February, 2024

Prerequisite:

The rule requires sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This rule monitors the execution of PowerShell commands known to disable security functionalities. Malicious actors might use PowerShell scripts to tamper with antivirus, endpoint detection, or other security tools. By identifying these specific PowerShell commands, the rule helps flag potential efforts to weaken a system's defenses and create vulnerabilities for further attacks.

Data source

Windows: Application logs, process, script

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0006 - Credential Access, TA0002 - Execution

Techniques: T1003 - OS Credential Dumping, T1059 - Command and Scripting Interpreter

Sub-techniques: T1059.001 - Command and Scripting Interpreter: Powershell

Criteria:

  • COMMANDLINE CONTAINS "set-mppreference": This part looks for events where the command line contains "set-mppreference". This is often used to modify Microsoft Defender settings.
  • COMMANDLINE CONTAINS (...):This section uses a logical OR operator (-or) to check for multiple keywords within the command line:

"disablerealtimemonitoring": This searches for commands containing "disablerealtimemonitoring" which could indicate disabling real-time protection.

"disableioavprotection": Similar to above, this searches for disabling I/O Antivirus protection.

AND PROCESSNAME ENDSWITH (...):This part ensures the events originate from specific processes likely used for scripting:

  • pwsh.exe:PowerShell executable.
  • sqlps.exe, sqltoolsps.exe: SQL Server PowerShell cmdlets.
  • powershell.exe, powershell_ise.exe: Additional PowerShell executables.

When to enable this rule:

Enable this rule when the user wants to identify attempts to disable security software.

Compliance mapping (NIST, CIS):

    '
  • NIST CSF DE.AE (Detection Processes) to detect attempts to disable security monitoring through PowerShell.
  • CIS Control 8 (Malware Defense) to prevent execution of scripts aimed at undermining security defenses.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.