Skip to content

Hide Navigation Hide TOC

PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' (1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e)

Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' (1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e) Sigma-Rules 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2