Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects attempts to disable Windows Defender components using PowerShell’s Disable-WindowsOptionalFeature cmdlet.

Strategy

This rule monitors Windows event logs for PowerShell script block execution that includes the Disable-WindowsOptionalFeature cmdlet with specific parameters that target Windows Defender components. The detection looks for command executions that include the -Online and -FeatureName parameters along with specific Windows Defender component names such as Windows-Defender-Gui, Windows-Defender-Features, Windows-Defender, or Windows-Defender-ApplicationGuard. This activity is concerning because it represents an attempt to disable security controls that protect the system. Attackers often try to disable Windows Defender components to evade detection and reduce the risk of being caught.

Triage & Response

• Review the complete PowerShell script block content to understand exactly which Windows Defender features were targeted on {{host}}.
• Determine the user account that executed the PowerShell command and verify if they should have permission to modify security settings.
• Verify the current status of Windows Defender components to confirm if the disablement was successful.
• Examine surrounding PowerShell commands and system activity for other suspicious behavior.
• If unauthorized, immediately re-enable the Windows Defender components using Enable-WindowsOptionalFeature.
• Scan the system with an alternative antivirus solution to identify potential malware that may have been installed.