Windows Defender detected Trojan:Script/Phonzy.A!ml in Aurora files.

Shraknard commented 4 months ago

Hi, just got a high detection from WIndows Defender on one of the Aurora yml rule : posh_pc_tamper_windows_defender_set_mp.yml.
It was detected as Trojan:Script/Phonzy.A!ml and quarantined.

Affected elements are :

Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_tamper_windows_defender_set_mp.yml
Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_script\posh_ps_tamper_windows_defender_set_mp.yml

Not sure what part of the file could have triggered it but it seems to be a ML detection so maybe it just misunderstood.
Also, Aurora light is installed for like a week, so I'm not sure why it didn't trigger before.

Content of the file :

title: Tamper Windows Defender - ScriptBlockLogging
id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
related:
    - id: ec19ebab-72dc-40e1-9728-4c0b805d722c
      type: derived
status: experimental
description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022/01/16
modified: 2024/01/02
tags:
    - attack.defense_evasion
    - attack.t1562.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_options_disabling_preference:
        ScriptBlockText|contains: 'Set-MpPreference'
    selection_options_disabling_function:
        ScriptBlockText|contains:
            - '-dbaf $true'
            - '-dbaf 1'
            - '-dbm $true'
            - '-dbm 1'
            - '-dips $true'
            - '-dips 1'
            - '-DisableArchiveScanning $true'
            - '-DisableArchiveScanning 1'
            - '-DisableBehaviorMonitoring $true'
            - '-DisableBehaviorMonitoring 1'
            - '-DisableBlockAtFirstSeen $true'
            - '-DisableBlockAtFirstSeen 1'
            - '-DisableCatchupFullScan $true'
            - '-DisableCatchupFullScan 1'
            - '-DisableCatchupQuickScan $true'
            - '-DisableCatchupQuickScan 1'
            - '-DisableIntrusionPreventionSystem $true'
            - '-DisableIntrusionPreventionSystem 1'
            - '-DisableIOAVProtection $true'
            - '-DisableIOAVProtection 1'
            - '-DisableRealtimeMonitoring $true'
            - '-DisableRealtimeMonitoring 1'
            - '-DisableRemovableDriveScanning $true'
            - '-DisableRemovableDriveScanning 1'
            - '-DisableScanningMappedNetworkDrivesForFullScan $true'
            - '-DisableScanningMappedNetworkDrivesForFullScan 1'
            - '-DisableScanningNetworkFiles $true'
            - '-DisableScanningNetworkFiles 1'
            - '-DisableScriptScanning $true'
            - '-DisableScriptScanning 1'
            - '-MAPSReporting $false'
            - '-MAPSReporting 0'
            - '-drdsc $true'
            - '-drdsc 1'
            - '-drtm $true'
            - '-drtm 1'
            - '-dscrptsc $true'
            - '-dscrptsc 1'
            - '-dsmndf $true'
            - '-dsmndf 1'
            - '-dsnf $true'
            - '-dsnf 1'
            - '-dss $true'
            - '-dss 1'
    selection_other_default_actions_allow:
        ScriptBlockText|contains: 'Set-MpPreference'
    selection_other_default_actions_func:
        ScriptBlockText|contains:
            - 'HighThreatDefaultAction Allow'
            - 'htdefac Allow'
            - 'LowThreatDefaultAction Allow'
            - 'ltdefac Allow'
            - 'ModerateThreatDefaultAction Allow'
            - 'mtdefac Allow'
            - 'SevereThreatDefaultAction Allow'
            - 'stdefac Allow'
    condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
falsepositives:
    - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high

Not sure if this is considered as a real issue but at least you have the info now.

Shraknard commented 3 months ago

I got an other detection from Windows Defender. This time from rule : Aurora-Agent\signatures\sigma-rules\public\windows\powershell\powershell_classic\posh_pc_tamper_windows_defender_set_mp.yml. It was considered as trojan Trojan:Win32/BatTamper.A. Severity : high

Mathu-lmn commented 1 month ago

Hi, I'm facing the same issue, the 2 "trojans" are quarantined by Defender consistently. Have you found any explanation ?

nasbench commented 1 month ago

Please read the explanation I gave here https://github.com/SigmaHQ/sigma/issues/4925

NextronSystems / aurora-agent-lite

Windows Defender detected Trojan:Script/Phonzy.A!ml in Aurora files. #13