← Back to SOC feed Coverage →

PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'

sigma HIGH SigmaHQ
T1685
imProcessCreate
backdoorevasionpowershell
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-07T23:00:00Z · Confidence: low

Hunt Hypothesis

Detects the use of PowerShell to execute the ‘Set-MpPreference’ cmdlet to configure Windows Defender’s threat severity default action to ‘Allow’ (value ‘6’) or ‘NoAction’ (value ‘9’). This is a highly

Detection Rule

Sigma (Original)

title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
related:
    - id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
      type: similar
status: experimental
description: |
    Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
    An attacker might use this technique via the command line to bypass defenses before executing payloads.
references:
    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmdlet:
        CommandLine|contains: 'Set-MpPreference'
    selection_action:
        CommandLine|contains:
            - '-LowThreatDefaultAction'
            - '-ModerateThreatDefaultAction'
            - '-HighThreatDefaultAction'
            - '-SevereThreatDefaultAction'
            - '-ltdefac '
            - '-mtdefac '
            - '-htdefac '
            - '-stdefac '
    selection_value:
        CommandLine|contains:
            - 'Allow'
            - '6'
            - 'NoAction'
            - '9'
    condition: all of selection_*
falsepositives:
    - Highly unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessCommandLine contains "Set-MpPreference" and (TargetProcessCommandLine contains "-LowThreatDefaultAction" or TargetProcessCommandLine contains "-ModerateThreatDefaultAction" or TargetProcessCommandLine contains "-HighThreatDefaultAction" or TargetProcessCommandLine contains "-SevereThreatDefaultAction" or TargetProcessCommandLine contains "-ltdefac " or TargetProcessCommandLine contains "-mtdefac " or TargetProcessCommandLine contains "-htdefac " or TargetProcessCommandLine contains "-stdefac ") and (TargetProcessCommandLine contains "Allow" or TargetProcessCommandLine contains "6" or TargetProcessCommandLine contains "NoAction" or TargetProcessCommandLine contains "9")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml