Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Read More

Detects the execution of a specific OneLiner to Invoke PowerShell commands.

Read More

Detects the deletion of scheduled tasks related to Windows Defender.

Read More

Detects the registry modification to enable restricted admin mode using reg.exe

Read More

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Read More

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

Read More

Detects changes to the bitbucket audit log configuration.

Read More

Detects Bitbucket global secret scanning rule deletion activity.

Read More

Detects Bitbucket global SSH access configuration changes.

Read More

Detects when a secret scanning allowlist rule is added for projects.

Read More

Detects when a repository is exempted from secret scanning feature.

Read More

Detects when secret scanning rule is deleted for the project or repository.

Read More

Detects when a user bypasses the push protection on a secret detected by secret scanning.

Read More

Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.

Read More

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Read More

Detects NetNTLM downgrade attack

Read More

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Read More

Detects changes to the ESXi syslog configuration via "esxcli"

Read More

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Read More

Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Read More

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.

Read More

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Read More

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Read More

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

Read More

Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

Read More

Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.

Read More

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

Read More

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More

Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".

Read More

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

Read More

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Read More

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

Read More

Detects disabling, deleting and updating of a Trail

Read More

Detects AWS Config Service disabling

Read More

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

Read More

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Read More

Turn off logging locally or remote

Read More

Detects disabling Windows Defender Exploit Guard Network Protection

Read More

Detects registry modifications that disable Privacy Settings Experience

Read More

Detects disabling Windows Defender PUA protection

Read More

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.

Read More

Detects disabling security tools

Read More

Detects disabling Windows Defender Tamper Protection

Read More

Detects attackers attempting to disable Windows Defender using Powershell

Read More

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

Read More

Detects commands that temporarily turn off Volume Snapshots

Read More

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Read More

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

Read More

Detects if the secret scanning feature is disabled for an enterprise or repository.

Read More

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Read More

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

Read More

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

Read More

Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.

Read More

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

Read More

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Read More

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Read More

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

Read More

Detects NetNTLM downgrade attack

Read More

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Read More

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Read More

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

Read More

Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020

Read More

Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

Read More

Detects uninstallation or termination of security products using the WMIC utility

Read More

Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV

Read More

Detects requests to disable Microsoft Defender features using PowerShell commands

Read More

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

Read More

Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.

Read More

Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.

Read More

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Read More

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Read More

Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

Read More

Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability

Read More

Detects execution of "reg.exe" to disable security services such as Windows Defender.

Read More

Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services

Read More

Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"

Read More

Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"

Read More

Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings

Read More

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.

Read More

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

Read More

Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.

Read More

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

Read More

Detects the execution of "logman" utility in order to disable or delete Windows trace sessions

Read More

Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses

Read More

Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely

Read More

Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet

Read More

Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet

Read More

Detects tamper attempts to sophos av functionality via registry key modification

Read More

Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.

Read More

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

Read More

Detects the removal of Sysmon, which could be a potential attempt at defense evasion

Read More

Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.

Read More

Detects the restoration of files from the defender quarantine

Read More

Detects suspicious changes to the Windows Defender configuration

Read More

Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files

Read More

Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Read More

Detects the Setting of Windows Defender Exclusions

Read More

Detects the Setting of Windows Defender Exclusions

Read More

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

Read More

Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.

Read More

Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software

Read More

Detects issues with Windows Defender Real-Time Protection features

Read More

Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.

Read More

Detects when the "Windows Defender Threat Protection" service is disabled.

Read More

Detects disabling of the Windows Defender virus scanning feature

Read More

Detects the deletion of scheduled tasks related to Windows Defender.

Read More

Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.

Read More

Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More

Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.

Read More

Detects the registry modification to enable restricted admin mode using reg.exe

Read More

Detects attempts to disable AMSI in the commandline. It is possible to bypass AMSI by disabling it before loading the main payload.

Read More

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Read More

Detects use of Windows Uninstall defender feature

Read More

Detects Windows Defender disabling service installation

Read More

Detects evade to Macie detection.

Read More

Detects powershell scripts attempting to disable MS Defender components using Set-MpPreference as performed by Vice Society ransomware gang. This includes additional techniques to evade existing rules by feeding in a proxy value of $true using a powershell boolean expression like (0 -eq $false).

Read More

Detects use of the reg utility to tamper with MS Defender protections.

Read More

Looks for instances of powershell being used to disable or impair Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for instances of powershell being used to modify or degrade Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Read More