Detection of Windows Defender Tampering via Powershell

ID: T1562.001Sub-technique of: T1562

Impair Defenses: Disable or Modify Tools (T1562.001)

Overview

The technique "Disable or Modify Tools" (T1562.001) under the broader category of "Impair Defenses" involves adversaries taking actions to disable or modify security tools and software on a target system. This can include antivirus software, endpoint detection and response (EDR) tools, firewalls, and other defensive mechanisms. By disabling or modifying these tools, adversaries can evade detection, prevent logging of their activities, and gain persistent access to the system.

Common Methods

  1. Service Disabling: Adversaries may stop or disable services associated with security tools. This can be done using commands like sc stop or net stop in Windows, or by modifying service configurations.

    • Example: sc stop WinDefend

  2. Registry Modifications: Changing registry keys can disable security software. For instance, modifying registry entries related to Windows Defender or other antivirus programs.

    • Example: Modifying the DisableAntiSpyware registry key to disable Windows Defender.

  3. File Deletion or Modification: Adversaries may delete or modify executable files, configuration files, or other components of security software to render them ineffective.

    • Example: Deleting the MsMpEng.exe file, which is the main executable for Windows Defender.

  4. Group Policy Modifications: Changing group policies can disable security features. For example, setting policies to disable Windows Defender or other security tools.

    • Example: Using gpedit.msc to disable Windows Defender via group policy.

  5. Task Scheduler Modifications: Adversaries may modify or delete scheduled tasks that are used to run security scans or updates.

    • Example: Deleting a scheduled task that runs a daily antivirus scan.

Checking Windows Defender Service Status

You can check the status of the Windows Defender service to ensure it is running properly.

Get-Service -Name "WinDefend"

Verifying Windows Defender Settings

You can use PowerShell to check the current settings of Windows Defender to ensure they have not been altered.

Get-MpPreference

Checking Windows Defender Signature Updates

Ensure that Windows Defender has the latest signature updates.

Get-MpComputerStatus | Select-Object AMServiceVersion, AntispywareSignatureVersion, AntivirusSignatureVersion

Checking Windows Defender Real-Time Protection Status

Verify that real-time protection is enabled.

Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled

Checking Windows Defender Event Logs

Review the Windows Defender event logs for any suspicious activities.

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.Id -eq 5007 } | Format-Table -AutoSize

Checking Windows Defender Exclusions

List any exclusions that have been set in Windows Defender, which could indicate tampering.

Get-MpPreference | Select-Object -ExpandProperty ExclusionPathItems

Checking Windows Defender Scheduled Scans

Verify the scheduled scan settings to ensure they have not been altered.

Get-MpPreference | Select-Object -Property ScanPurpose, ScanScheduleQuickScanTime, ScanScheduleFullScanTime

Checking Windows Defender Cloud Protection

Ensure that cloud protection is enabled.

Get-MpPreference | Select-Object MAPSReportingAdvancedLevel, SubmitSamplesConsent

REFERENCES

PreviousReading Clipboard Data via PowershellNextDetection of Remote Template Injection

Last updated

Was this helpful?