Security Service Disabled Via Reg.EXE

calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects execution of "reg.exe" to disable security services such as Windows Defender.

Sigma rule (View on GitHub)

 1title: Security Service Disabled Via Reg.EXE
 2id: 5e95028c-5229-4214-afae-d653d573d0ec
 3status: test
 4description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
 5references:
 6    - https://twitter.com/JohnLaTwC/status/1415295021041979392
 7    - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
 8    - https://vms.drweb.fr/virus/?i=24144899
 9    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/
10author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
11date: 2021-07-14
12modified: 2023-06-05
13tags:
14    - attack.defense-evasion
15    - attack.t1562.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_reg_add:
21        CommandLine|contains|all:
22            - 'reg'
23            - 'add'
24    selection_cli_reg_start:
25        CommandLine|contains|all:
26            - 'd 4'
27            - 'v Start'
28        CommandLine|contains:
29            - '\AppIDSvc'
30            - '\MsMpSvc'
31            - '\NisSrv'
32            - '\SecurityHealthService'
33            - '\Sense'
34            - '\UsoSvc'
35            - '\WdBoot'
36            - '\WdFilter'
37            - '\WdNisDrv'
38            - '\WdNisSvc'
39            - '\WinDefend'
40            - '\wscsvc'
41            - '\wuauserv'
42    condition: all of selection_*
43falsepositives:
44    - Unlikely
45level: high

References

Related rules

to-top