attack.t1562.001

IISReset Used to Stop IIS Services

Sep 9, 2024 · attack.impact attack.defense-evasion attack.t1562 attack.t1562.001 attack.t1529 ·

Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.

Deleting Windows Defender scheduled tasks

Aug 10, 2024 · attack.defense_evasion attack.t1562.001 ·

Share on:

Detects the deletion of scheduled tasks related to Windows Defender.

Disabled AV On Dev Drive via Registry

Aug 10, 2024 · attack.defense.evasion attack.T1562.001 ·

Share on:

Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.

Disabling Python warnings for executing untrusted code

Aug 10, 2024 · attack.Defense-Evansion attack.T1562.001 ·

Share on:

Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Enabling Dev Drive With Disabled AV

Aug 10, 2024 · attack.defense.evasion attack.T1562.001 ·

Share on:

Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.

Enabling restricted admin mode

Aug 10, 2024 · attack.defense_evasion attack.t1562.001 ·

Share on:

Detects the registry modification to enable restricted admin mode using reg.exe

PowerShell AMSI Bypass Pattern

Aug 10, 2024 · attack.defense_evasion attack.t1562.001 attack.execution ·

Share on:

Detects attempts to disable AMSI in the commandline. It is possible to bypass AMSI by disabling it before loading the main payload.

Using powershell specific download cradle OneLiner

Aug 10, 2024 · attack.defense_evasion attack.t1562.001 attack.execution T1059.001 ·

Share on:

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

AWS Macie Evasion

Apr 21, 2023 · attack.defense_evasion attack.t1562.001 ·

Share on:

Detects evade to Macie detection.

Powershell MS Defender Tampering - ScriptBlockLogging

Jan 12, 2023 · attack.defense_evasion attack.t1562 attack.t1562.001 ·

Share on:

Detects powershell scripts attempting to disable MS Defender components using Set-MpPreference as performed by Vice Society ransomware gang. This includes additional techniques to evade existing rules by feeding in a proxy value of $true using a powershell boolean expression like (0 -eq $false).

Tampering of Windows Defender with Reg

Nov 29, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 ·

Share on:

Detects use of the reg utility to tamper with MS Defender protections.

Abusing PowerShell to Disable Defender Components

Nov 9, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 attack.t1562.004 ·

Share on:

Looks for instances of powershell being used to disable or impair Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Abusing PowerShell to Modify Defender Components

Nov 9, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 attack.t1562.004 ·

Share on:

Looks for instances of powershell being used to modify or degrade Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.