Uninstall Windows Feature - Defender

Detects use of Windows Uninstall defender feature

Sigma rule (View on GitHub)

 1title: Uninstall Windows Feature - Defender
 2id: 3f2f0cf4-c2c2-4633-8f1c-58a0485f0237
 3status: Experimental
 4description: Detects use of Windows Uninstall defender feature
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide
 8  - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
 9date: 2023-04-02
10modified: 2024-02-23
11logsource:
12  category: process_creation
13  product: windows
14detection:
15  selection:
16    CommandLine|contains:
17    - 'uninstall-windowsfeature'
18    - 'Windows-Defender-GUI'
19    Image|endswith:
20      - '\powershell.exe'
21  condition: all of selection
22fields:
23  - CommandLine
24falsepositives:
25  - Unknown
26level: high
27tags:
28  - attack.t1562.001

References

Related rules

to-top