PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'

Rule Info

Name
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Author
Matt Anderson (Huntress)
Description
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.
Reference
https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
Date
2025-07-11 00:00:00
Modified
None
Id
1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
Tags
attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e

Rule History

Author
Title
Date
Commit
Matt Anderson
Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion
2025-07-28
af492dc0f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022