Uninstall Windows Feature - Defender

 1title: Uninstall Windows Feature - Defender
 2id: 3f2f0cf4-c2c2-4633-8f1c-58a0485f0237
 3status: Experimental
 4description: Detects use of Windows Uninstall defender feature
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide
 8  - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
 9date: 2023-04-02
10modified: 2024-02-23
11logsource:
12  category: process_creation
13  product: windows
14detection:
15  selection:
16    CommandLine|contains:
17    - 'uninstall-windowsfeature'
18    - 'Windows-Defender-GUI'
19    Image|endswith:
20      - '\powershell.exe'
21  condition: all of selection
22fields:
23  - CommandLine
24falsepositives:
25  - Unknown
26level: high
27tags:
28  - attack.t1562.001

References

• Microsoft Defender Antivirus on Windows Server - Microsoft Defender for Endpoint

  

  Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016, Windows Server 2019, and Windows Server 2022.

  
  Read More

• Malicious ISO File Leads to Domain Wide Ransomware

  

  IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. Post exploitation activities detail some familiar and…

  
  Read More

Related rules

• Custom Cobalt Strike Command Execution
• Deleting Windows Defender scheduled tasks
• Enabling restricted admin mode
• AWS Macie Evasion
• Powershell MS Defender Tampering - ScriptBlockLogging