Sigma Rules
1,585 rules found for "defense-evasion"
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Potential PowerShell Downgrade Attack
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Obfuscated PowerShell OneLiner Execution
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Potential Suspicious Windows Feature Enabled - ProcCreation
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Potential Encoded PowerShell Patterns In CommandLine
Detects specific combinations of encoding methods in PowerShell via the commandline
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Root Certificate Installed From Susp Locations
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Unsigned AppX Installation Attempt Using Add-AppxPackage
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Suspicious PowerShell Invocations - Specific - ProcessCreation
Detects suspicious PowerShell invocation command parameters
Potential PowerShell Obfuscation Via WCHAR/CHAR
Detects suspicious encoded character syntax often used for defense evasion
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
Run PowerShell Script from ADS
Detects PowerShell script execution from Alternate Data Stream (ADS)
Run PowerShell Script from Redirected Input Stream
Detects PowerShell script execution via input stream redirect
PowerShell Script Change Permission Via Set-Acl
Detects PowerShell execution to set the ACL of a file or a folder
PowerShell Set-Acl On Windows Folder
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Service StartupType Change Via PowerShell Set-Service
Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
Powershell Token Obfuscation - Process Creation
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
Suspicious X509Enrollment - Process Creation
Detect use of X509Enrollment
Suspicious XOR Encoded PowerShell Command
Detects presence of a potentially xor encoded powershell command
Arbitrary File Download Via PresentationHost.EXE
Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
XBAP Execution From Uncommon Locations Via PresentationHost.EXE
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Abusing Print Executable
Attackers can use print.exe for remote file copy
File Download Using ProtocolHandler.exe
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Potential Provlaunch.EXE Binary Proxy Execution Abuse
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
PUA - AdvancedRun Suspicious Execution
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
PUA - CleanWipe Execution
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
PUA - DefenderCheck Execution
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
PUA - Process Hacker Execution
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - Potential PE Metadata Tamper Using Rcedit
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
Suspicious RASdial Activity
Detects suspicious process related to rasdial.exe
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Dropping Of Password Filter DLL
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
RunMRU Registry Key Deletion
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
SafeBoot Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
Service Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
Potentially Suspicious Desktop Background Change Using Reg.EXE
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Security Service Disabled Via Reg.EXE
Detects execution of "reg.exe" to disable security services such as Windows Defender.
Potential Suspicious Registry File Imported Via Reg.EXE
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
RestrictedAdminMode Registry Value Tampering - ProcCreation
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise