Windows Defender Definition Files Removed
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
Sigma rule (View on GitHub)
1title: Windows Defender Definition Files Removed
2id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
3status: test
4description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
7 - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
8author: frack113
9date: 2021/07/07
10modified: 2023/07/18
11tags:
12 - attack.defense_evasion
13 - attack.t1562.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\MpCmdRun.exe'
20 - OriginalFileName: MpCmdRun.exe
21 selection_cli:
22 CommandLine|contains|all:
23 - ' -RemoveDefinitions'
24 - ' -All'
25 condition: all of selection_*
26fields:
27 - ComputerName
28 - User
29 - CommandLine
30 - ParentCommandLine
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- Weak Encryption Enabled and Kerberoast
- Potential Ke3chang/TidePool Malware Activity
- Security Service Disabled Via Reg.EXE
- Windows Defender Real-Time Protection Failure/Restart
- AWS Macie Evasion