← Back to Explore
sigmahighHunting
Windows Defender Definition Files Removed
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
MITRE ATT&CK
Detection Query
selection_img:
- Image|endswith: \MpCmdRun.exe
- OriginalFileName: MpCmdRun.exe
selection_cli:
CommandLine|contains|all:
- " -RemoveDefinitions"
- " -All"
condition: all of selection_*
Author
frack113
Created
2021-07-07
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-impairmentattack.t1685
Raw Content
title: Windows Defender Definition Files Removed
id: 9719a8aa-401c-41af-8108-ced7ec9cd75c
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
author: frack113
date: 2021-07-07
modified: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\MpCmdRun.exe'
- OriginalFileName: MpCmdRun.exe
selection_cli:
CommandLine|contains|all:
- ' -RemoveDefinitions'
- ' -All'
condition: all of selection_*
falsepositives:
- Unknown
level: high