https://detection.fyi/tags/attack.t1685/ Recent content in attack.t1685 on Detection.FYI Hugo -- gohugo.io Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_add_safeboot/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_add_safeboot/ Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22/ Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_amsi_disable/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_amsi_disable/ Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value. Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content. Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter/ Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". https://detection.fyi/sigmahq/sigma/linux/auditd/lnx_auditd_disable_aslr_protection/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/auditd/lnx_auditd_disable_aslr_protection/ Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the `sysctl` command to set `kernel.randomize_va_space=0` Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable. https://detection.fyi/sigmahq/sigma/linux/auditd/path/lnx_auditd_auditing_config_change/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/auditd/path/lnx_auditd_auditing_config_change/ Detect changes in auditd configuration files https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated/ Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. Verify with the user identity that this activity is legitimate. https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_guardduty_disruption/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_guardduty_disruption/ Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_securityhub_finding_evasion/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/aws/cloudtrail/aws_securityhub_finding_evasion/ Detects the modification of the findings on SecurityHub. https://detection.fyi/sigmahq/sigma/cloud/azure/activity_logs/azure_kubernetes_events_deleted/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/azure/activity_logs/azure_kubernetes_events_deleted/ Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected/ Detects changes to the bitbucket audit log configuration. https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted/ Detects Bitbucket global secret scanning rule deletion activity. https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected/ Detects Bitbucket global SSH access configuration changes. https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added/ Detects when a secret scanning allowlist rule is added for projects. https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected/ Detects when a repository is exempted from secret scanning feature. https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted/ Detects when secret scanning rule is deleted for the project or repository. https://detection.fyi/sigmahq/sigma/network/cisco/aaa/cisco_cli_disable_logging/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/network/cisco/aaa/cisco_cli_disable_logging/ Turn off logging locally or remote https://detection.fyi/sigmahq/sigma/network/cisco/aaa/cisco_cli_dot1x_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/network/cisco/aaa/cisco_cli_dot1x_disabled/ Detects the manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface. Disabling dot1x bypasses Network Access Control (NAC) mechanisms, potentially allowing unauthorized devices to gain access to the internal network. This activity is a common technique used by attackers or malicious insiders to establish persistence or perform lateral movement via rogue devices. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/ Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host. https://detection.fyi/sigmahq/sigma/emerging-threats/2023/ta/diamond-sleet/registry_event_apt_diamond_sleet_scheduled_task/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2023/ta/diamond-sleet/registry_event_apt_diamond_sleet_scheduled_task/ Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender/ Detects disabling Windows Defender Exploit Guard Network Protection https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_etw_trace_evasion/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_etw_trace_evasion/ Detects usage of powershell cmdlets to disable or remove ETW trace sessions https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_services_stop_and_disable/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_services_stop_and_disable/ Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems. Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_privacy_settings_experience/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_privacy_settings_experience/ Detects registry modifications that disable Privacy Settings Experience https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender/ Detects disabling Windows Defender PUA protection https://detection.fyi/sigmahq/sigma/macos/process_creation/proc_creation_macos_disable_security_tools/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/macos/process_creation/proc_creation_macos_disable_security_tools/ Detects disabling security tools https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender/ Detects disabling Windows Defender Tamper Protection https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring/ Detects attackers attempting to disable Windows Defender using Powershell https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_windows_defender_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_windows_defender_tamper/ Detects when attackers or tools disable Windows Defender functionalities via the Windows registry https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature/ Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_disable_ie_features/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_disable_ie_features/ Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_volsnap_disable/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_volsnap_disable/ Detects commands that temporarily turn off Volume Snapshots https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog/ Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger/ Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_dism_remove/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_dism_remove/ Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_set_enable_anonymous_connection/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_set_enable_anonymous_connection/ Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change/ Detects changes to the ESXi syslog configuration via "esxcli" https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper/ Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_services_etw_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_services_etw_tamper/ Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_dot_net_etw_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_dot_net_etw_tamper/ Potential adversaries stopping ETW providers recording loaded .NET assemblies. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_dot_net_etw_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_dot_net_etw_tamper/ Potential adversaries stopping ETW providers recording loaded .NET assemblies. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline/ Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_etw_trace_evasion/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_etw_trace_evasion/ Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver/ Detect filter driver unloading activity via fltmc.exe https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders/ Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder https://detection.fyi/sigmahq/sigma/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object/ Detects the addition of firewall address objects on a Fortinet FortiGate Firewall. https://detection.fyi/sigmahq/sigma/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added/ Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall. https://detection.fyi/sigmahq/sigma/application/github/audit/github_push_protection_bypass_detected/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/github/audit/github_push_protection_bypass_detected/ Detects when a user bypasses the push protection on a secret detected by secret scanning. https://detection.fyi/sigmahq/sigma/application/github/audit/github_push_protection_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/github/audit/github_push_protection_disabled/ Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules. https://detection.fyi/sigmahq/sigma/application/github/audit/github_secret_scanning_feature_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/application/github/audit/github_secret_scanning_feature_disabled/ Detects if the secret scanning feature is disabled for an enterprise or repository. https://detection.fyi/sigmahq/sigma/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted/ Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP). https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern/ Detects a typical pattern of a CobaltStrike BOF which inject into other processes https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_edr_freeze/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_edr_freeze/ Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_edrsilencer/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_edrsilencer/ Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_hktl_edr_silencer/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_hktl_edr_silencer/ Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_powertool/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_powertool/ Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_stracciatella_execution/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_stracciatella_execution/ Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper/ Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled/ Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hvci_registry_tampering/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hvci_registry_tampering/ Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms. https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled/ Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors. https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_dll_rstrtmgr_suspicious_load/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_dll_rstrtmgr_suspicious_load/ Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes. https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_dll_rstrtmgr_uncommon_load/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_dll_rstrtmgr_uncommon_load/ Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes. https://detection.fyi/sigmahq/sigma/linux/auditd/path/lnx_auditd_logging_config_change/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/linux/auditd/path/lnx_auditd_logging_config_change/ Detect changes of syslog daemons configuration files https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_tamper_protection_trigger/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_tamper_protection_trigger/ Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" https://detection.fyi/sigmahq/sigma/windows/builtin/application/application_error/win_application_error_msmpeng_crash/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/application/application_error/win_application_error_msmpeng_crash/ This rule detects a suspicious crash of the Microsoft Malware Protection Engine https://detection.fyi/sigmahq/sigma/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer/ This rule detects a suspicious crash of the Microsoft Malware Protection Engine https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_office_disable_protected_view_features/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_office_disable_protected_view_features/ Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_net_ntlm_downgrade/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_net_ntlm_downgrade/ Detects NetNTLM downgrade attack https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_event_net_ntlm_downgrade/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_event_net_ntlm_downgrade/ Detects NetNTLM downgrade attack https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated/ Detects the execution of a specific OneLiner to download and execute powershell modules in memory. https://detection.fyi/sigmahq/sigma/identity/okta/okta_user_session_start_via_anonymised_proxy/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/identity/okta/okta_user_session_start_via_anonymised_proxy/ Detects when an Okta user session starts where the user is behind an anonymising proxy service. https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass/ Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass/ Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass/ Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_amsi_com_hijack/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_amsi_com_hijack/ Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless https://detection.fyi/sigmahq/sigma/emerging-threats/2020/malware/ke3chang-tidepool/proc_creation_win_malware_ke3chang_tidepool/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2020/malware/ke3chang-tidepool/proc_creation_win_malware_ke3chang_tidepool/ Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_user_driver_loaded/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_user_driver_loaded/ Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_secedit_execution/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_secedit_execution/ Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_uninstall_security_products/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_uninstall_security_products/ Detects uninstallation or termination of security products using the WMIC utility https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_namespace_defender/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_namespace_defender/ Detects potential tampering with Windows Defender settings such as adding exclusion using wmic https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_base64_mppreference/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_base64_mppreference/ Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_defender_disable_feature/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_defender_disable_feature/ Detects requests to disable Microsoft Defender features using PowerShell commands https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_defender_exclusion/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_defender_exclusion/ Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_defender_default_action_modified/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_defender_default_action_modified/ Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_werfaultsecure_abuse/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_werfaultsecure_abuse/ Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_pua_cleanwipe/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_pua_cleanwipe/ Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings/ Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_office_disable_python_security_warnings/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_office_disable_python_security_warnings/ Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_disable_raccine/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_disable_raccine/ Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/redsun/pipe_created_win_exploit_redsun_named_pipe/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/redsun/pipe_created_win_exploit_redsun_named_pipe/ Detects the creation of a named pipe with the hardcoded name "REDSUN". The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. RedSun creates the pipe as \\??\pipe\REDSUN. The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. Presence of this pipe name indicates active or recent RedSun execution. https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/redsun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/emerging-threats/2026/exploits/redsun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/ Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool. RedSun works as follows: 1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\ 2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \\?\C:\Windows\System32 to the attacker-controlled temp path 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_susp_paths/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_susp_paths/ Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/ Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/ Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/ Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_delete_safeboot/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_delete_safeboot/ Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_enabling_turnoffcheck/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_enabling_turnoffcheck/ Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_disable_sec_services/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_disable_sec_services/ Detects execution of "reg.exe" to disable security services such as Windows Defender. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_delete_services/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_delete_services/ Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_service_startup_change/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_wmic_service_startup_change/ Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_set_service_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_set_service_disabled/ Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sc_disable_service/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sc_disable_service/ Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps/ Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/ Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_ime_suspicious_paths/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_ime_suspicious_paths/ Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/ Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period. https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/ Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques. https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder/ Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_susp_service_installed/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_susp_service_installed/ Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_uninstall_defender_feature/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_uninstall_defender_feature/ Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_defender_exclusion/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_defender_exclusion/ Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_windows_defender_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_windows_defender_tamper/ Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_service_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_susp_service_tamper/ Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_logman_disable_eventlog/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_logman_disable_eventlog/ Detects the execution of "logman" utility in order to disable or delete Windows trace sessions https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution/ Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses https://detection.fyi/sigmahq/sigma/windows/builtin/system/application_popup/win_system_application_sysmon_crash/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/system/application_popup/win_system_application_sysmon_crash/ Detects application popup reporting a failure of the Sysmon service https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update/ Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude/ Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon/ Detects possible Sysmon filter driver unloaded via fltmc.exe https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp/ Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp/ Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_remove_mppreference/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_remove_mppreference/ Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp/ Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_sophos_av_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_sophos_av_tamper/ Detects tamper attempts to sophos av functionality via registry key modification https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_taskkill_sep/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_taskkill_sep/ Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_ime_non_default_extension/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_ime_non_default_extension/ Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon/ Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall/ Detects the removal of Sysmon, which could be a potential attempt at defense evasion https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/ Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_alert_enable_weak_encryption/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_alert_enable_weak_encryption/ Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_susp_wfp_filter_added/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_susp_wfp_filter_added/ Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events. https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_restored_quarantine_file/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_restored_quarantine_file/ Detects the restoration of files from the defender quarantine https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_amsi_registry_tampering/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_amsi_registry_tampering/ Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution. https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_credential_guard_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_credential_guard_disabled/ Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/ Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse. https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_disable_credential_guard/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_delete/registry_delete_disable_credential_guard/ Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_suspicious_features_tampering/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_suspicious_features_tampering/ Detects suspicious changes to the Windows Defender configuration https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_defender_remove_context_menu/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_defender_remove_context_menu/ Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition/ Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified/ Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_windows_defender_exclusions_write_access/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/win_security_windows_defender_exclusions_write_access/ Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_config_change_exclusion_added/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_config_change_exclusion_added/ Detects the Setting of Windows Defender Exclusions https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added/ Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_defender_exclusions/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_defender_exclusions/ Detects the Setting of Windows Defender Exclusions https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper/ Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications" https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_antimalware_platform_expired/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_antimalware_platform_expired/ Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled. https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled/ Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_real_time_protection_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_real_time_protection_disabled/ Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_real_time_protection_errors/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_real_time_protection_errors/ Detects issues with Windows Defender Real-Time Protection features https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_windows_defender_service/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_disable_windows_defender_service/ Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_config_change_sample_submission_consent/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_config_change_sample_submission_consent/ Detects disabling of the "Automatic Sample Submission" feature of Windows Defender. https://detection.fyi/sigmahq/sigma/windows/builtin/system/service_control_manager/win_system_defender_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/system/service_control_manager/win_system_defender_disabled/ Detects when the "Windows Defender Threat Protection" service is disabled. https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_event_defender_threat_action_modified/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_event/registry_event_defender_threat_action_modified/ Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads. https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_virus_scan_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/windefend/win_defender_virus_scan_disabled/ Detects disabling of the Windows Defender virus scanning feature https://detection.fyi/sigmahq/sigma/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked/ Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_disable_firewall/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_disable_firewall/ Detects attempts to disable the Windows Firewall using PowerShell https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/ Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/ Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers, and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques. This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later. Note that this change will require a reboot to take effect, and this rule only detects the registry modification action. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled/ Tue, 28 Apr 2026 23:20:23 +0000 https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled/ Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.