EXPLORE DETECTIONS
Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Disable Security Tools
Detects disabling security tools
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Disable Tamper Protection on Windows Defender
Detects disabling Windows Defender Tamper Protection
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Disable Windows Event Logging Via Registry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
Disable Windows Firewall by Registry
Detect set EnableFirewall to 0 to disable the Windows firewall
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Disable Windows Security Center Notifications
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Disabled MFA to Bypass Authentication Mechanisms
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
Disabled Windows Defender Eventlog
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
Disabling Security Tools
Detects disabling security tools
Disabling Security Tools - Builtin
Detects disabling security tools
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Discovery of a System Time
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Disk Image Creation Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to create a disk image.
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
Diskshadow Child Process Spawned
Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.