CAR-2021-01-007: Detecting Tampering of Windows Defender Command Prompt
In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Impair Defenses | Disable or Modify Tools | Defense Evasion | Medium |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | command_line |
Implementations
Splunk search - Detecting Tampering of Windows Defender Command Prompt (Splunk, Sysmon native)
This query looks for the specific use of service control for querying or trying to stop Windows Defender.
index= __your_sysmon__index__ EventCode=1 Image = "C:\\Windows\\System32\\sc.exe" | regex CommandLine="^sc\s*(config|stop|query)\sWinDefend$"
Splunk search - Detecting Tampering of Windows Defender Command Prompt (Pseudocode)
This query looks for the specific use of service control for querying or trying to stop Windows Defender.
processes = search Process:Create
target_processes = filter processes where (
(exe="C:\\Windows\\System32\\sc.exe") AND (command_line="sc *config*" OR command_line="sc *stop*" OR command_line="sc *query*")
)
output target_processes