Today’s blog is based on Olaf Hartong’s recent research on malware behavior at scale. In this edition, we’ll look at how malware tampers with the local Windows Defender AV and how you can detect it.
TL;DR for blue teams: You can use this rule as an early indicator of a potential compromise. At the very least, someone is weakening your defenses.
TL;DR for red teams: Avoid using the PowerShell APIs for disabling the Defender AV.
Disabling anti-virus solutions can be leveraged as an early indicator of compromise. Although the top-tier attackers usually will stay away from messing around with your Defender AV settings as it’s fairly noisy, the tier below might resort to this means. Based on my own experience, bypassing AV/EDR solutions has become a very labor-intensive effort. And although there are -and always will be- enough ways to pull it off, an attacker with a lower budget might not be willing to invest in it.
Hence, this week’s detection rule is fairly straight-forward, but at the same time very accurate. We’re looking for machines where someone wants to disable Defender AV. This query captures the most common ways to do it, which are:
Set-MpPreference -DisableRealtimeMonitoring $true
sc stop WinDefend
sc delete WinDefend
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -ExclusionProcess
Set-MpPreference -ExclusionExtension dll
Set-MpPreference -ExclusionExtension exe
net stop security center
Improvements and caveats
This rule is very rough and doesn’t deal with many exceptions and ways to bypass it. So as usual, we recommend to use this rule as a basis for an improved version in your production environment. The improvements which are still required are:
- Tuning the rule to get rid of obvious false positives. I’ve observed that software from JetBrains and Android Studio mess around with Defender AV settings. I haven’t yet gone down the rabbit hole of why that is…
- The rule isn’t very resilient as it is now. It can easily be bypassed by replacing $true with another value that evaluates to true. The integer
1
would be an obvious candidate, but there are literally infinitely more options. One way to fix it, it to look for allSet-MpPreference
commands which have a-Disable*
flag and filter out the-Disable* $false
as false positives. - Also messing around with the order of the parameters allows easy bypasses, so we suggest improving that as well. In order to do so, you want to use the
parse_command_line()
function in Kusto to extract the arguments in a proper way. This allows you to check if the desired command line options are used anywhere in the command line. - Be aware that the query only catches the use of powershell.exe command lines. An attacker can easily bypass this by using
System.Management.Automation.dll
, by directly modifying registry keys or disabling Defender AV with clever usage of Win32 APIs. Using theSystem.Management.Automation.dll
can easily be detected in Defender for Endpoint by looking in theDeviceEvents
table for the ActionTypePowerShellCommand
. Also modification of registry keys can be detected using theDeviceRegistryEvents
table. Usage of the Win32 APIs might be a bit more challenging to catch, depending on which APIs are used obviously.
Knowledge center
Other articles
Exploring WinRM plugins for lateral movement
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Detection engineering rabbit holes - parsing ASN.1 packets in KQL
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Azure DevOops 0x01 – It is not my machines, it is your code!
[dsm_breadcrumbs show_home_icon="off" separator_icon="K||divi||400" admin_label="Supreme Breadcrumbs" _builder_version="4.18.0" _module_preset="default" items_font="||||||||" items_text_color="rgba(255,255,255,0.6)" custom_css_main_element="color:...
Together. Secure. Today.
Stay in the loop and sign up to our newsletter

FalconForce realizes ambitions by working closely with its customers in a methodical manner, improving their security in the digital domain.
Energieweg 3
3542 DZ Utrecht
The Netherlands
FalconForce B.V.
[email protected]
(+31) 85 044 93 34
KVK 76682307
BTW NL860745314B01