Tamper Windows Defender - ScriptBlockLogging
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Tamper Windows Defender - ScriptBlockLogging | Standard | Windows | Defense Evasion: Impair Defenses - Disable or Modify Tools (T1562.001) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Tamper Windows Defender - ScriptBlockLogging is an instance where an executable process attempts to disable scheduled scanning and other functions of Windows Defender ATP and exploit by attackers by setting default actions to allow malicious resources.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access (through phishing) → Execution → Defense Evasion → Command and Control → Impact
Impact
- Attacker executes a PowerShell payload, either directly or through loader tools.
- Attacker runs -DisableScriptBlockLogging $true or Remove-MpPreference -DisableScriptBlockLogging to disable PowerShell ScriptBlockLogging.
- ScriptBlockLogging hides PowerShell-based malicious actions and malware attack traces.
Rule Requirement
Prerequisites
- Log in to the Group Policy Management Console (GPMC) with domain admin credentials.
- In the Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell and enable Turn on Module Logging.
- In the Options pane, click on Show, and in the Module Name, enter * to record all modules, and press OK.
- In the Group Policy Management Editor, go to Computer Configuration and Turn on PowerShell Script Block Logging.
- Create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND (SCRIPTEXECUTED contains "Set-MpPreference" AND (SCRIPTEXECUTED contains "-dbaf $true,-dbaf 1,-dbm $true,-dbm 1,-dips $true,-dips 1,-DisableArchiveScanning $true,-DisableArchiveScanning 1,-DisableBehaviorMonitoring $true,-DisableBehaviorMonitoring 1,-DisableBlockAtFirstSeen $true,-DisableBlockAtFirstSeen 1,-DisableCatchupFullScan $true,-DisableCatchupFullScan 1,-DisableCatchupQuickScan $true,-DisableCatchupQuickScan 1,-DisableIntrusionPreventionSystem $true,-DisableIntrusionPreventionSystem 1,-DisableIOAVProtection $true,-DisableIOAVProtection 1,-DisableRealtimeMonitoring $true,-DisableRealtimeMonitoring 1" OR SCRIPTEXECUTED contains "-DisableRemovableDriveScanning $true,-DisableRemovableDriveScanning 1,-DisableScanningMappedNetworkDrivesForFullScan $true,-DisableScanningMappedNetworkDrivesForFullScan 1,-DisableScanningNetworkFiles $true,-DisableScanningNetworkFiles 1,-DisableScriptScanning $true,-DisableScriptScanning 1,-MAPSReporting $false,-MAPSReporting 0,-drdsc $true,-drdsc 1,-drtm $true,-drtm 1,-dscrptsc $true,-dscrptsc 1,-dsmndf $true,-dsmndf 1,-dsnf $true,-dsnf 1,-dss $true,-dss 1")) OR (SCRIPTEXECUTED contains "Set-MpPreference" AND SCRIPTEXECUTED contains "HighThreatDefaultAction Allow,htdefac Allow,LowThreatDefaultAction Allow,ltdefac Allow,ModerateThreatDefaultAction Allow,mtdefac Allow,SevereThreatDefaultAction Allow,stdefac Allow") select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: Impair Defenses - Disable or Modify Tools (T1562.001)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Security administrators ensure to draft and implement strict privilege permission for critical operations of certification and its processes. Leverage IAM and SIEM solutions to ensure access permission and authorizations and regular auditing practices.
DE.CM-01: Networks and network services are monitored to find potentially adverse events.
Security administrators have to continuously monitor all the network and its services in real-time using SIEM tools and identify the unusual behavior during the Window Defender process attempts to disable scheduled scanning and other functions of Windows Defender ATP. Enforce the policies on the web traffic to ensure the network security.
Author
frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
In a few instances, Tamper Windows Defender – ScriptBlockLogging process could be a legitimate administrator activity or an authorized troubleshooting effort pertaining to IT maintenance or testing procedures.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify the event and check if the flagged incident is new or part of an existing one.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and kill or terminate the malicious process.
- Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1038 | Use security applications to configure and block the execution of utilities such as diskshadow.exe to prevent potential exploitation by adversaries. | |
M1022 | File permissions are securely configured to block adversaries from disabling or tampering with essential security services. | |
M1024 | Ensure registry permissions are properly configured to prevent attackers from disabling or tampering with critical security services. | |
M1018 | Update policies to limit user accounts' access and privileges and use Service Control Policies to restrict API calls. |
