Detects execution of "reg.exe" to disable security services such as Windows Defender.

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Detects when attackers or tools disable Windows Defender functionalities via the windows registry

Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.

Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Detects issues with Windows Defender Real-Time Protection features

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Detects the "Windows Defender Threat Protection" service has been disabled

Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV

Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses

Detects use of Windows Uninstall defender feature

Detects disabling Windows Defender threat protection

Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely

Detects the removal of Sysmon, which could be a potential attempt at defense evasion

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"

Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

Detects commands that temporarily turn off Volume Snapshots

Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet

Detects the execution of "logman" utility in order to disable or delete Windows trace sessions

Detects attackers attempting to disable Windows Defender using Powershell

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.

Detects uninstallation or termination of security products using the WMIC utility

Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.

Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Detects tamper attempts to sophos av functionality via registry key modification

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Detects NetNTLM downgrade attack

Detects NetNTLM downgrade attack

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

Detects requests to disable Microsoft Defender features using PowerShell commands