Detects application popup reporting a failure of the Sysmon service
Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
Detect filter driver unloading activity via fltmc.exe
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
Detects possible Sysmon filter driver unloaded via fltmc.exe
Detects attempts to disable the Windows Firewall using PowerShell
Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
Detects when the "index" value of a scheduled task is modified from the registry
Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Detects the modification of the findings on SecurityHub.
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).