← Back to SOC feed Coverage →

Powershell Defender Disable Scan Feature

sigma HIGH SigmaHQ
T1685
imProcessCreate
powershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-12T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects requests to disable Microsoft Defender features using PowerShell commands

Detection Rule

Sigma (Original)

title: Powershell Defender Disable Scan Feature
id: 1ec65a5f-9473-4f12-97da-622044d6df21
status: test
description: Detects requests to disable Microsoft Defender features using PowerShell commands
references:
    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
    - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE
    - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
author: Florian Roth (Nextron Systems)
date: 2022-03-03
modified: 2024-01-02
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli_cmdlet:
        CommandLine|contains:
            - 'Add-MpPreference '
            - 'Set-MpPreference '
    selection_cli_option:
        CommandLine|contains:
            - 'DisableArchiveScanning '
            - 'DisableRealtimeMonitoring '
            - 'DisableIOAVProtection '
            - 'DisableBehaviorMonitoring '
            - 'DisableBlockAtFirstSeen '
            - 'DisableCatchupFullScan '
            - 'DisableCatchupQuickScan '
    selection_cli_value:
        CommandLine|contains:
            - '$true'
            - ' 1 '
    selection_encoded_modifier:
        CommandLine|base64offset|contains:
            # Note: Since this is calculating offsets casing is important
            - 'disablearchivescanning '
            - 'DisableArchiveScanning '
            - 'disablebehaviormonitoring '
            - 'DisableBehaviorMonitoring '
            - 'disableblockatfirstseen '
            - 'DisableBlockAtFirstSeen '
            - 'disablecatchupfullscan '
            - 'DisableCatchupFullScan '
            - 'disablecatchupquickscan '
            - 'DisableCatchupQuickScan '
            - 'disableioavprotection '
            - 'DisableIOAVProtection '
            - 'disablerealtimemonitoring '
            - 'DisableRealtimeMonitoring '
    selection_encoded_direct:
        CommandLine|contains:
            - 'RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
            - 'QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
            - 'EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
            - 'RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
            - 'QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA'
            - 'EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA'
            - 'RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
            - 'QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
            - 'EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
            - 'RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA'
            - 'QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA'
            - 'EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA'
            - 'ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
            - 'QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
            - 'kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
            - 'ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
            - 'QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA'
            - 'kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA'
            - 'ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
            - 'QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
            - 'kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
            - 'ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA'
            - 'QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA'
            - 'kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA'
            - 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA'
            - 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA'
            - 'RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA'
    condition: all of selection_cli_* or 1 of selection_encoded_*
falsepositives:
    - Possible administrative activity
    - Other Cmdlets that may use the same parameters
level: high

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessCommandLine contains "Add-MpPreference " or TargetProcessCommandLine contains "Set-MpPreference ") and (TargetProcessCommandLine contains "DisableArchiveScanning " or TargetProcessCommandLine contains "DisableRealtimeMonitoring " or TargetProcessCommandLine contains "DisableIOAVProtection " or TargetProcessCommandLine contains "DisableBehaviorMonitoring " or TargetProcessCommandLine contains "DisableBlockAtFirstSeen " or TargetProcessCommandLine contains "DisableCatchupFullScan " or TargetProcessCommandLine contains "DisableCatchupQuickScan ") and (TargetProcessCommandLine contains "$true" or TargetProcessCommandLine contains " 1 ")) or ((TargetProcessCommandLine contains "ZGlzYWJsZWFyY2hpdmVzY2FubmluZy" or TargetProcessCommandLine contains "Rpc2FibGVhcmNoaXZlc2Nhbm5pbmcg" or TargetProcessCommandLine contains "kaXNhYmxlYXJjaGl2ZXNjYW5uaW5nI" or TargetProcessCommandLine contains "RGlzYWJsZUFyY2hpdmVTY2FubmluZy" or TargetProcessCommandLine contains "Rpc2FibGVBcmNoaXZlU2Nhbm5pbmcg" or TargetProcessCommandLine contains "EaXNhYmxlQXJjaGl2ZVNjYW5uaW5nI" or TargetProcessCommandLine contains "ZGlzYWJsZWJlaGF2aW9ybW9uaXRvcmluZy" or TargetProcessCommandLine contains "Rpc2FibGViZWhhdmlvcm1vbml0b3Jpbmcg" or TargetProcessCommandLine contains "kaXNhYmxlYmVoYXZpb3Jtb25pdG9yaW5nI" or TargetProcessCommandLine contains "RGlzYWJsZUJlaGF2aW9yTW9uaXRvcmluZy" or TargetProcessCommandLine contains "Rpc2FibGVCZWhhdmlvck1vbml0b3Jpbmcg" or TargetProcessCommandLine contains "EaXNhYmxlQmVoYXZpb3JNb25pdG9yaW5nI" or TargetProcessCommandLine contains "ZGlzYWJsZWJsb2NrYXRmaXJzdHNlZW4g" or TargetProcessCommandLine contains "Rpc2FibGVibG9ja2F0Zmlyc3RzZWVuI" or TargetProcessCommandLine contains "kaXNhYmxlYmxvY2thdGZpcnN0c2Vlbi" or TargetProcessCommandLine contains "RGlzYWJsZUJsb2NrQXRGaXJzdFNlZW4g" or TargetProcessCommandLine contains "Rpc2FibGVCbG9ja0F0Rmlyc3RTZWVuI" or TargetProcessCommandLine contains "EaXNhYmxlQmxvY2tBdEZpcnN0U2Vlbi" or TargetProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBmdWxsc2Nhbi" or TargetProcessCommandLine contains "Rpc2FibGVjYXRjaHVwZnVsbHNjYW4g" or TargetProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cGZ1bGxzY2FuI" or TargetProcessCommandLine contains "RGlzYWJsZUNhdGNodXBGdWxsU2Nhbi" or TargetProcessCommandLine contains "Rpc2FibGVDYXRjaHVwRnVsbFNjYW4g" or TargetProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cEZ1bGxTY2FuI" or TargetProcessCommandLine contains "ZGlzYWJsZWNhdGNodXBxdWlja3NjYW4g" or TargetProcessCommandLine contains "Rpc2FibGVjYXRjaHVwcXVpY2tzY2FuI" or TargetProcessCommandLine contains "kaXNhYmxlY2F0Y2h1cHF1aWNrc2Nhbi" or TargetProcessCommandLine contains "RGlzYWJsZUNhdGNodXBRdWlja1NjYW4g" or TargetProcessCommandLine contains "Rpc2FibGVDYXRjaHVwUXVpY2tTY2FuI" or TargetProcessCommandLine contains "EaXNhYmxlQ2F0Y2h1cFF1aWNrU2Nhbi" or TargetProcessCommandLine contains "ZGlzYWJsZWlvYXZwcm90ZWN0aW9uI" or TargetProcessCommandLine contains "Rpc2FibGVpb2F2cHJvdGVjdGlvbi" or TargetProcessCommandLine contains "kaXNhYmxlaW9hdnByb3RlY3Rpb24g" or TargetProcessCommandLine contains "RGlzYWJsZUlPQVZQcm90ZWN0aW9uI" or TargetProcessCommandLine contains "Rpc2FibGVJT0FWUHJvdGVjdGlvbi" or TargetProcessCommandLine contains "EaXNhYmxlSU9BVlByb3RlY3Rpb24g" or TargetProcessCommandLine contains "ZGlzYWJsZXJlYWx0aW1lbW9uaXRvcmluZy" or TargetProcessCommandLine contains "Rpc2FibGVyZWFsdGltZW1vbml0b3Jpbmcg" or TargetProcessCommandLine contains "kaXNhYmxlcmVhbHRpbWVtb25pdG9yaW5nI" or TargetProcessCommandLine contains "RGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZy" or TargetProcessCommandLine contains "Rpc2FibGVSZWFsdGltZU1vbml0b3Jpbmcg" or TargetProcessCommandLine contains "EaXNhYmxlUmVhbHRpbWVNb25pdG9yaW5nI") or (TargetProcessCommandLine contains "RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or TargetProcessCommandLine contains "QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or TargetProcessCommandLine contains "EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or TargetProcessCommandLine contains "RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or TargetProcessCommandLine contains "QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA" or TargetProcessCommandLine contains "EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA" or TargetProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or TargetProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA" or TargetProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA" or TargetProcessCommandLine contains "RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA" or TargetProcessCommandLine contains "QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA" or TargetProcessCommandLine contains "EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA" or TargetProcessCommandLine contains "ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or TargetProcessCommandLine contains "QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or TargetProcessCommandLine contains "kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or TargetProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA" or TargetProcessCommandLine contains "QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA" or TargetProcessCommandLine contains "kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA" or TargetProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA" or TargetProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA" or TargetProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA" or TargetProcessCommandLine contains "ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA" or TargetProcessCommandLine contains "QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA" or TargetProcessCommandLine contains "kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA" or TargetProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA" or TargetProcessCommandLine contains "RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA" or TargetProcessCommandLine contains "RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml