Microsoft Defender Alert Details
Alert ID: MD-DEFENSE-IMPAIR-1562-7842 Alert Time: 2024-02-19 14:15:33 EST Severity: CRITICAL (95/100) Source: Microsoft Defender for Endpoint Rule: “Tampering with Defender Security Settings Detected” MITRE ATT&CK: T1562.001 – Impair Defenses: Disable or Modify Tools
Alert Details:
Detection: Attempt to disable Windows Defender real-time protection
Host: IT-WS-112 (IT Department) User: bjones (Brian Jones – IT Admin) Time: 14:10 EST
PowerShell Commands Executed:
1. 14:08:22 – Set-MpPreference -DisableRealtimeMonitoring $true
2. 14:08:25 – Set-MpPreference -DisableBehaviorMonitoring $true
3. 14:08:28 – Set-MpPreference -DisableBlockAtFirstSeen $true
4. 14:08:31 – Set-MpPreference -DisableIOAVProtection $true
5. 14:08:34 – Set-MpPreference -DisablePrivacyMode $true
6. 14:08:37 – Set-MpPreference -MAPSReporting Disabled
7. 14:08:40 – Add-MpPreference -ExclusionPath C:\Users\bjones\AppData\Local\Temp
8. 14:08:43 – Add-MpPreference -ExclusionProcess malware.exe
9. 14:08:46 – Add-MpPreference -ExclusionExtension .exe
10. 14:08:49 – netsh advfirewall set allprofiles state off
Process Tree:
explorer.exe (PID: 2341)
powershell.exe (PID: 4789)
Executing above commands
cmd.exe (PID: 4792)
netsh firewall disable command
Detection Logic:
Multiple Defender disable commands in quick succession
Firewall disabled immediately after
User bjones is IT admin (legitimate access)
But pattern matches attacker disabling defenses
Additional Context:
bjones reported receiving “security alert” email 10 minutes prior
Clicked link, entered credentials
Account may be compromised
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed defense impairment attempts
2. User Verification
Contact bjones
Teams, Phone
User did NOT run these commands; account compromised
3. Immediate Action
Disable compromised account
Azure AD, AD
bjones account disabled
4. Re-enable Defenses
Re-enable Defender settings
PowerShell, Intune
All protections restored
5. Firewall Restore
Re-enable Windows Firewall
netsh, GPO
Firewall re-enabled
6. Account Remediation
Reset password, enforce MFA
Azure AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-097 Summary: T1562 – Attemp to Disable Defender and Firewall via Compromised Admin Account Status: RESOLVED Resolution: MALICIOUS – Defenses Restored Priority: P1 – CRITICAL Labels: T1562, impair-defenses, defender-tampering, firewall, compromised-admin Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Tampering with Defender Security Settings Detected”.
Host: IT-WS-112 (IT Department, user bjones).
Time: 2024-02-19 14:15 EST.
Technique: MITRE ATT&CK T1562.001 – Impair Defenses: Disable or Modify Tools.
2. Technical Analysis:
Attack Chain:
13:55 – bjones receives phishing email “Security Alert – Action Required”
13:56 – Clicks link, enters credentials on fake Microsoft login page
13:57 – Attacker logs in from IP 45.134.225[.]78
14:00 – Attacker RDPs to IT-WS-112 using bjones credentials
14:05 – PowerShell launched to disable Defender
14:08 – Multiple Defender disable commands executed
14:09 – Windows Firewall disabled
14:10 – Defender detects tampering
14:15 – Alert triggers
Defenses Impaired:
Real-time monitoring: DISABLED
Behavior monitoring: DISABLED
Cloud-delivered protection: DISABLED
Email scanning: DISABLED
MAPS reporting: DISABLED
Exclusions added: Temp folder, .exe files, malware.exe
Windows Firewall: DISABLED
Attacker Actions After Defense Impairment:
Downloaded Mimikatz to C:\Temp\
Attempted credential dumping (partially successful)
Created local admin account “helpdesk”
Scheduled task for persistence
Account Status:
bjones had Domain Admin privileges (over-privileged)
No MFA on account (now enforced)
3. Investigation Findings:
Timeline:
13:55 – Phishing email opened
13:56 – Credentials compromised
14:00-14:05 – Attacker RDP access
14:05-14:09 – Defenses disabled
14:10 – Defender detects tampering
14:15 – Alert triggers
14:17 – Account disabled
14:18 – Defenses restored
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 45.134.225[.]78
Account:
– bjones (compromised)
– helpdesk (local admin created)
Files:
– C:\Temp\mimikatz.exe (SHA256: b2c3d4e5…)
Scheduled Task:
– “WindowsMaintenance”
4. Containment Actions:
Immediate Actions:
Disabled bjones account.
Re-enabled all Defender protections.
Re-enabled Windows Firewall.
Removed attacker-created exclusions.
Deleted helpdesk account.
Removed scheduled task.
Blocked attacker IP.
Host Remediation:
Deleted Mimikatz and other tools.
Full scan (no other malware).
No reimage needed (cleaned).
Account Remediation:
Reset bjones password.
Enforced MFA.
Removed unnecessary admin privileges.
5. Root Cause Analysis:
Primary Cause: Admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
User had excessive privileges (Domain Admin).
RDP allowed from internet.
6. Business Impact:
Operational Impact: IT admin offline for 2 hours.
Security Impact: Defenses down for 8 minutes.
Data Exposure: Some credentials may have been dumped.
7. Remediation & Prevention:
Completed Actions:
Defenses restored.
Compromised account secured.
Attacker artifacts removed.
Technical Controls Enhanced:
Enforced MFA for all admin accounts.
Moved RDP behind VPN only.
Implemented Privileged Access Workstations.
Created alert for any Defender setting changes.
8. Conclusion:
An attacker compromised an IT admin via phishing and systematically disabled Windows Defender and Firewall. Defender’s tamper protection detected the changes, enabling rapid restoration. The account was secured, and defenses were re-enabled within minutes.
Closure Rationale: Defenses restored; account secured; attacker blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-19 15:30 EST