```yaml title: Windows Defender Tampering via PowerShell id: edr-win-def-defender-tampering status: stable description: > Detects PowerShell commands that disable Windows Defender real-time or behavior monitoring, add broad exclusions, or use DISM to disable the Defender feature entirely. These are standard pre-encryption defense evasion steps across virtually every RaaS operation. references: - https://hunt.io/blog/thegentlemen-ransomware-toolkit-russian-proton66-server - https://blog.talosintelligence.com/new-chaos-ransomware/ author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.defense_evasion - attack.t1562.001 logsource: category: process_creation product: windows detection: selection_disable: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: 'Set-MpPreference' CommandLine|contains: - 'DisableRealtimeMonitoring' - 'DisableBehaviorMonitoring' selection_exclusion: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: 'Add-MpPreference' CommandLine|contains: - '-ExclusionPath' - '-ExclusionExtension' selection_dism: Image|endswith: '\dism.exe' CommandLine|contains|all: - 'Disable-Feature' - 'Windows-Defender' filter_false_disable: CommandLine|contains: '$false' filter_legit: CommandLine|contains: - '\sf' - 'jetbrains' - 'RightFax' condition: (selection_disable or selection_exclusion or selection_dism) and not filter_false_disable and not filter_legit falsepositives: - Software installers that temporarily disable real-time monitoring - Developers adding project folder exclusions level: medium ```