Detect Attempts to Modify or Disable Defender from the Command Line (CM0095)

In Playbook

Details

  • ID: CM0095
  • Version: 1.0
  • Created: 14 March 2025
  • Modified: 14 March 2025
  • Type: Examine
  • Status: Active

Intended Outcome

Detecting attempts to abuse command line utilities to modify or disable Windows Defender alerts responders to attempts to evade defenses.

Introduction

Adversaries modify or disable security tools to evade detection and impede response. PowerShell and CMD can be used to disable or modify firewalls, antivirus solutions, and logging.

Preparation

  • Ensure Tamper protection is enabled for Microsoft Defender. Tamper protection prevents settings from being modified or disabled. Tamper Protection does not prevent an adversary from creating exclusions to prevent Microsoft Defender from scanning specific files or directories.
  • Ensure comprehensive endpoint detection and response. Logs should be aggregated and processed in a centralized location to enable analysis and response efforts.

Risks

No Risks content identified.

Guidance

Monitor process creation, specifically PowerShell and CMD. If possible, consider monitoring for instances in which the processes of security utilities are terminated. File creation can also indicate attempts to modify the configuration files of security tools.
  • Modify (Add Exclusions)
    • Monitor the PowerShell and CMD processes.
    • Monitor the command line for the Add-MpPreference cmdlet and the following file extensions (.exe, .dll, .vbs, .zip, .bat, .ps1).
  • Disable Defender
    • Monitor the PowerShell and CMD processes.
    • Monitor the command line for the Set-MpPreference cmdlet and the MpCmdRun utility and the following parameters (disablerealtimemonitoring, disableioavprotection, disablebehaviormonitoring, disableintrusionpreventionsystem, exclusionprocess, disablescriptscanning).

References

  • ID: CM0095
  • Version: 1.0
  • Created: 13 March 2025
  • Modified: 13 March 2025
  • Type: Examine