Microsoft Defender Antivirus (MDAV) is an antivirus program included with Windows 10, Windows 8.1 and Windows 7. It provides real-time protection from malware and can scan files, apps and settings for threats.
This feature focused on real-time protection is also the one that attackers usually try to disable. Indeed, Microsoft Defender Antivirus can be disabled or tampered using different techniques. These techniques can be classic PowerShell Commands such as “Set-MpPreference” but also a legitimate executable from MDAV, like MpCmdRun.exe. Tricky for defenders!
To protect you from these techniques, several Sigma detection rules are shared in this blogpost and in our public GitHub repository. Users of our SOC platform have access to these rules and more in Sekoia.io rules catalog.
Feel free to discover other glossary and read other TDR analysis here :
- Unveiling of a large resilient infrastructure distributing information stealers
- Traffers: a deep dive into the information stealer ecosystem
- PrivateLoader: the loader of the prevalent ruzki PPI service
- MSDT abused to achieve RCE on Microsoft Office
- Overview of the Russian-speaking infostealer ecosystem: the distribution