EXPLORE

EXPLORE DETECTIONS

🔍
3,281 detections found

Disable of ETW Trace - Powershell

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

T1070T1685
Sigmahigh

Disable Or Stop Services

Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems. Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.

T1685T1489
Sigmamedium

Disable Powershell Command History

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

T1070.003
Sigmahigh

Disable Privacy Settings Experience in Registry

Detects registry modifications that disable Privacy Settings Experience

T1685
Sigmamedium

Disable PUA Protection on Windows Defender

Detects disabling Windows Defender PUA protection

T1685
Sigmahigh

Disable Security Events Logging Adding Reg Key MiniNt

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.

T1685.001T1112
Sigmahigh

Disable Security Tools

Detects disabling security tools

T1685
Sigmamedium

Disable System Firewall

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

T1686
Sigmahigh

Disable Tamper Protection on Windows Defender

Detects disabling Windows Defender Tamper Protection

T1685
Sigmamedium

Disable Windows Defender AV Security Monitoring

Detects attackers attempting to disable Windows Defender using Powershell

T1685
Sigmahigh

Disable Windows Defender Functionalities Via Registry Keys

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

T1685
Sigmahigh

Disable Windows Event Logging Via Registry

Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel

T1685.001
Sigmahigh

Disable Windows Firewall by Registry

Detect set EnableFirewall to 0 to disable the Windows firewall

T1686.003
Sigmamedium

Disable Windows IIS HTTP Logging

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)

T1685.001
Sigmahigh

Disable Windows Security Center Notifications

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

T1112
Sigmamedium

Disable-WindowsOptionalFeature Command PowerShell

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

T1685
Sigmahigh

Disabled IE Security Features

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

T1685
Sigmahigh

Disabled MFA to Bypass Authentication Mechanisms

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

T1556
Sigmamedium

Disabled Volume Snapshots

Detects commands that temporarily turn off Volume Snapshots

T1685
Sigmahigh

Disabled Windows Defender Eventlog

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

T1685
Sigmahigh

Disabling Multi Factor Authentication

Detects disabling of Multi Factor Authentication.

T1556.006
Sigmahigh

Disabling Security Tools

Detects disabling security tools

T1686
Sigmamedium

Disabling Security Tools - Builtin

Detects disabling security tools

T1686
Sigmamedium

Disabling Windows Defender WMI Autologger Session via Reg.exe

Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.

T1685
Sigmahigh
PreviousPage 23 of 137Next