Sigma Rules
127 rules found for "attack.T1562.001"
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
Windows AMSI Related Registry Tampering Via CommandLine
Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
Windows Credential Guard Registry Tampering Via CommandLine
Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.
Windows Defender Context Menu Removed
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
Devcon Execution Disabling VMware VMCI Device
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
Dism Remove Online Package
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Hacktool - EDR-Freeze Execution
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
HackTool - PowerTool Execution
Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
HackTool - Stracciatella Execution
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
Windows Defender Definition Files Removed
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Potential AMSI Bypass Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Powershell Base64 Encoded MpPreference Cmdlet
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
Powershell Defender Disable Scan Feature
Detects requests to disable Microsoft Defender features using PowerShell commands
Powershell Defender Exclusion
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Obfuscated PowerShell OneLiner Execution
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
Service StartupType Change Via PowerShell Set-Service
Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
PUA - CleanWipe Execution
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
Python Function Execution Security Warning Disabled In Excel
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
SafeBoot Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
Service Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Security Service Disabled Via Reg.EXE
Detects execution of "reg.exe" to disable security services such as Windows Defender.
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Service StartupType Change Via Sc.EXE
Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Sysinternals PsSuspend Suspicious Execution
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
Sysmon Configuration Update
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
Uninstall Sysinternals Sysmon
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
Uninstall Crowdstrike Falcon Sensor
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
Vulnerable Driver Blocklist Registry Tampering Via CommandLine
Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
Windows Credential Guard Related Registry Value Deleted - Registry
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
Folder Removed From Exploit Guard ProtectedFolders List - Registry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder