FalconFriday — AV Manipulation — 0xFF0E

Today’s blog is based on Olaf Hartong’s recent research on malware behavior at scale. In this edition, we’ll look at how malware tampers with the local Windows Defender AV and how you can detect it.

TL;DR for blue teams: You can use this rule as an early indicator of a potential compromise. At the very least, someone is weakening your defenses.

TL;DR for red teams: Avoid using the PowerShell APIs for disabling the Defender AV.

Disabling anti-virus solutions can be leveraged as an early indicator of compromise. Although the top-tier attackers usually will stay away from messing around with your Defender AV settings as it’s fairly noisy, the tier below might resort to this means. Based on my own experience, bypassing AV/EDR solutions has become a very labor-intensive effort. And although there are -and always will be- enough ways to pull it off, an attacker with a lower budget might not be willing to invest in it.

Hence, this week’s detection rule is fairly straight-forward, but at the same time very accurate. We’re looking for machines where someone wants to disable Defender AV. This query captures the most common ways to do it, which are:

Set-MpPreference -DisableRealtimeMonitoring $true
sc stop WinDefend
sc delete WinDefend
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -ExclusionProcess
Set-MpPreference -ExclusionExtension dll
Set-MpPreference -ExclusionExtension exe
net stop security center

Improvements and caveats

This rule is very rough and doesn’t deal with many exceptions and ways to bypass it. So as usual, we recommend to use this rule as a basis for an improved version in your production environment. The improvements which are still required are:

• Tuning the rule to get rid of obvious false positives. I’ve observed that software from JetBrains and Android Studio mess around with Defender AV settings. I haven’t yet gone down the rabbit hole of why that is…
• The rule isn’t very resilient as it is now. It can easily be bypassed by replacing $true with another value that evaluates to true. The integer 1 would be an obvious candidate, but there are literally infinitely more options. One way to fix it, it to look for all Set-MpPreference commands which have a -Disable* flag and filter out the -Disable* $false as false positives.
• Also messing around with the order of the parameters allows easy bypasses, so we suggest improving that as well. In order to do so, you want to use the parse_command_line() function in Kusto to extract the arguments in a proper way. This allows you to check if the desired command line options are used anywhere in the command line.
• Be aware that the query only catches the use of powershell.exe command lines. An attacker can easily bypass this by using System.Management.Automation.dll, by directly modifying registry keys or disabling Defender AV with clever usage of Win32 APIs. Using the System.Management.Automation.dll can easily be detected in Defender for Endpoint by looking in the DeviceEvents table for the ActionType PowerShellCommand. Also modification of registry keys can be detected using the DeviceRegistryEvents table. Usage of the Win32 APIs might be a bit more challenging to catch, depending on which APIs are used obviously.