Tool
Splunk
12,787 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,787Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value.
During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
Show query
TargetObject:*\\Control\\Lsa\\DsrmAdminLogonBehavior AND (NOT Details:DWORD\ \(0x00000000\))
Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Show query
any where (Image:"*\\schtasks.exe" or OriginalFileName:"schtasks.exe") and CommandLine like~ ("*-disable*", "*/disable*", "*–disable*", "*—disable*", "*―disable*") and (CommandLine like~ ("*\\Windows\\BitLocker*", "*\\Windows\\ExploitGuard*", "*\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh*", "*\\Windows\\SystemRestore\\SR*", "*\\Windows\\UpdateOrchestrator\\*", "*\\Windows\\Windows Defender\\*", "*\\Windows\\WindowsBackup\\*", "*\\Windows\\WindowsUpdate\\*"))Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\schtasks.exe") or OriginalFileName=="schtasks.exe") and (CommandLine like "*-disable*" or CommandLine like "*/disable*" or CommandLine like "*–disable*" or CommandLine like "*—disable*" or CommandLine like "*―disable*") and (CommandLine like "*\\Windows\\BitLocker*" or CommandLine like "*\\Windows\\ExploitGuard*" or CommandLine like "*\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh*" or CommandLine like "*\\Windows\\SystemRestore\\SR*" or CommandLine like "*\\Windows\\UpdateOrchestrator\\*" or CommandLine like "*\\Windows\\Windows Defender\\*" or CommandLine like "*\\Windows\\WindowsBackup\\*" or CommandLine like "*\\Windows\\WindowsUpdate\\*")
Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Show query
(Image:*\\schtasks.exe OR OriginalFileName:schtasks.exe) AND CommandLine:(*\-disable* OR *\/disable* OR *–disable* OR *—disable* OR *―disable*) AND (CommandLine:(*\\Windows\\BitLocker* OR *\\Windows\\ExploitGuard* OR *\\Windows\\ExploitGuard\\ExploitGuard\ MDM\ policy\ Refresh* OR *\\Windows\\SystemRestore\\SR* OR *\\Windows\\UpdateOrchestrator\\* OR *\\Windows\\Windows\ Defender\\* OR *\\Windows\\WindowsBackup\\* OR *\\Windows\\WindowsUpdate\\*))
Elastic
Converted
EQL
high
Disable Macro Runtime Scan Scope
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
Show query
any where (TargetObject:"*\\SOFTWARE\\*" and TargetObject:"*\\Microsoft\\Office\\*" and TargetObject:"*\\Common\\Security*") and TargetObject:"*\\MacroRuntimeScanScope" and Details:"DWORD (0x00000000)"
Elastic
Converted
ES|QL
high
Disable Macro Runtime Scan Scope
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\SOFTWARE\\*" and TargetObject like "*\\Microsoft\\Office\\*" and TargetObject like "*\\Common\\Security*" and ends_with(TargetObject, "\\MacroRuntimeScanScope") and Details=="DWORD (0x00000000)"
Elastic
Converted
Lucene
high
Disable Macro Runtime Scan Scope
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
Show query
(TargetObject:*\\SOFTWARE\\* AND TargetObject:*\\Microsoft\\Office\\* AND TargetObject:*\\Common\\Security*) AND TargetObject:*\\MacroRuntimeScanScope AND Details:DWORD\ \(0x00000000\)
Disable PUA Protection on Windows Defender
Detects disabling Windows Defender PUA protection
Show query
any where TargetObject:"*\\Policies\\Microsoft\\Windows Defender\\PUAProtection*" and Details:"DWORD (0x00000000)"
Disable PUA Protection on Windows Defender
Detects disabling Windows Defender PUA protection
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\Policies\\Microsoft\\Windows Defender\\PUAProtection*" and Details=="DWORD (0x00000000)"
Disable PUA Protection on Windows Defender
Detects disabling Windows Defender PUA protection
Show query
TargetObject:*\\Policies\\Microsoft\\Windows\ Defender\\PUAProtection* AND Details:DWORD\ \(0x00000000\)
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
Show query
any where ScriptBlockText:"*Remove-Module*" and ScriptBlockText:"*psreadline*"
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*Remove-Module*" and ScriptBlockText like "*psreadline*"
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
Show query
ScriptBlockText:*Remove\-Module* AND ScriptBlockText:*psreadline*
Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Show query
any where (TargetObject:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" and EventType:"CreateKey") or NewName:"HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt"
Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Show query
from * metadata _id, _index, _version | where TargetObject=="HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt" and EventType=="CreateKey" or NewName=="HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt"
Disable Security Events Logging Adding Reg Key MiniNt
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Show query
(TargetObject:HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt AND EventType:CreateKey) OR NewName:HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Show query
any where type:"SERVICE_STOP" and (unit like~ ("firewalld", "iptables", "ufw"))Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Show query
from * metadata _id, _index, _version | where type=="SERVICE_STOP" and (unit in ("firewalld", "iptables", "ufw"))Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Show query
type:SERVICE_STOP AND (unit:(firewalld OR iptables OR ufw))
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
Show query
any where (((Image like~ ("*\\powershell.exe", "*\\pwsh.exe")) or (OriginalFileName like~ ("PowerShell.EXE", "pwsh.dll"))) and (CommandLine like~ ("*-DisableBehaviorMonitoring $true*", "*-DisableRuntimeMonitoring $true*"))) or ((Image:"*\\sc.exe" or OriginalFileName:"sc.exe") and ((CommandLine:"*stop*" and CommandLine:"*WinDefend*") or (CommandLine:"*delete*" and CommandLine:"*WinDefend*") or (CommandLine:"*config*" and CommandLine:"*WinDefend*" and CommandLine:"*start=disabled*")))Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\pwsh.exe") or OriginalFileName in ("PowerShell.EXE", "pwsh.dll")) and (CommandLine like "*-DisableBehaviorMonitoring $true*" or CommandLine like "*-DisableRuntimeMonitoring $true*") or (ends_with(Image, "\\sc.exe") or OriginalFileName=="sc.exe") and (CommandLine like "*stop*" and CommandLine like "*WinDefend*" or CommandLine like "*delete*" and CommandLine like "*WinDefend*" or CommandLine like "*config*" and CommandLine like "*WinDefend*" and CommandLine like "*start=disabled*")Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
Show query
(((Image:(*\\powershell.exe OR *\\pwsh.exe)) OR (OriginalFileName:(PowerShell.EXE OR pwsh.dll))) AND (CommandLine:(*\-DisableBehaviorMonitoring\ $true* OR *\-DisableRuntimeMonitoring\ $true*))) OR ((Image:*\\sc.exe OR OriginalFileName:sc.exe) AND ((CommandLine:*stop* AND CommandLine:*WinDefend*) OR (CommandLine:*delete* AND CommandLine:*WinDefend*) OR (CommandLine:*config* AND CommandLine:*WinDefend* AND CommandLine:*start\=disabled*)))
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Show query
any where (TargetObject like~ ("*\\SOFTWARE\\Microsoft\\Windows Defender\\*", "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\*", "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\*")) and (((TargetObject like~ ("*\\DisableAntiSpyware", "*\\DisableAntiVirus", "*\\DisableBehaviorMonitoring", "*\\DisableBlockAtFirstSeen", "*\\DisableEnhancedNotifications", "*\\DisableIntrusionPreventionSystem", "*\\DisableIOAVProtection", "*\\DisableOnAccessProtection", "*\\DisableRealtimeMonitoring", "*\\DisableScanOnRealtimeEnable", "*\\DisableScriptScanning")) and Details:"DWORD (0x00000001)") or ((TargetObject like~ ("*\\DisallowExploitProtectionOverride", "*\\Features\\TamperProtection", "*\\MpEngine\\MpEnablePus", "*\\PUAProtection", "*\\Signature Update\\ForceUpdateFromMU", "*\\SpyNet\\SpynetReporting", "*\\SpyNet\\SubmitSamplesConsent", "*\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess")) and Details:"DWORD (0x00000000)")) and (not (Image:"C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\*" and Image:"*\\sepWscSvc64.exe"))Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Show query
from * metadata _id, _index, _version | where (TargetObject like "*\\SOFTWARE\\Microsoft\\Windows Defender\\*" or TargetObject like "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\*" or TargetObject like "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\*") and ((ends_with(TargetObject, "\\DisableAntiSpyware") or ends_with(TargetObject, "\\DisableAntiVirus") or ends_with(TargetObject, "\\DisableBehaviorMonitoring") or ends_with(TargetObject, "\\DisableBlockAtFirstSeen") or ends_with(TargetObject, "\\DisableEnhancedNotifications") or ends_with(TargetObject, "\\DisableIntrusionPreventionSystem") or ends_with(TargetObject, "\\DisableIOAVProtection") or ends_with(TargetObject, "\\DisableOnAccessProtection") or ends_with(TargetObject, "\\DisableRealtimeMonitoring") or ends_with(TargetObject, "\\DisableScanOnRealtimeEnable") or ends_with(TargetObject, "\\DisableScriptScanning")) and Details=="DWORD (0x00000001)" or (ends_with(TargetObject, "\\DisallowExploitProtectionOverride") or ends_with(TargetObject, "\\Features\\TamperProtection") or ends_with(TargetObject, "\\MpEngine\\MpEnablePus") or ends_with(TargetObject, "\\PUAProtection") or ends_with(TargetObject, "\\Signature Update\\ForceUpdateFromMU") or ends_with(TargetObject, "\\SpyNet\\SpynetReporting") or ends_with(TargetObject, "\\SpyNet\\SubmitSamplesConsent") or ends_with(TargetObject, "\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess")) and Details=="DWORD (0x00000000)") and not (starts_with(Image, "C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\") and ends_with(Image, "\\sepWscSvc64.exe"))
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Show query
(TargetObject:(*\\SOFTWARE\\Microsoft\\Windows\ Defender\\* OR *\\SOFTWARE\\Policies\\Microsoft\\Windows\ Defender\ Security\ Center\\* OR *\\SOFTWARE\\Policies\\Microsoft\\Windows\ Defender\\*)) AND (((TargetObject:(*\\DisableAntiSpyware OR *\\DisableAntiVirus OR *\\DisableBehaviorMonitoring OR *\\DisableBlockAtFirstSeen OR *\\DisableEnhancedNotifications OR *\\DisableIntrusionPreventionSystem OR *\\DisableIOAVProtection OR *\\DisableOnAccessProtection OR *\\DisableRealtimeMonitoring OR *\\DisableScanOnRealtimeEnable OR *\\DisableScriptScanning)) AND Details:DWORD\ \(0x00000001\)) OR ((TargetObject:(*\\DisallowExploitProtectionOverride OR *\\Features\\TamperProtection OR *\\MpEngine\\MpEnablePus OR *\\PUAProtection OR *\\Signature\ Update\\ForceUpdateFromMU OR *\\SpyNet\\SpynetReporting OR *\\SpyNet\\SubmitSamplesConsent OR *\\Windows\ Defender\ Exploit\ Guard\\Controlled\ Folder\ Access\\EnableControlledFolderAccess)) AND Details:DWORD\ \(0x00000000\))) AND (NOT (Image:C\:\\Program\ Files\\Symantec\\Symantec\ Endpoint\ Protection\\* AND Image:*\\sepWscSvc64.exe))
Disable Windows Event Logging Via Registry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
Show query
any where (TargetObject:"*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*" and TargetObject:"*\\Enabled" and Details:"DWORD (0x00000000)") and (not (Image:"C:\\Windows\\system32\\wevtutil.exe" or (Image:"C:\\Windows\\winsxs\\*" and Image:"*\\TiWorker.exe") or (Image:"C:\\Windows\\System32\\svchost.exe" and (TargetObject like~ ("*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter*", "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1\\*", "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat\\*", "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error\\*", "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational\\*"))) or (Image:"C:\\Windows\\servicing\\TrustedInstaller.exe" and TargetObject:"*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser*"))) and (not (Image=="" or (?Image == null)))Disable Windows Event Logging Via Registry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*" and ends_with(TargetObject, "\\Enabled") and Details=="DWORD (0x00000000)" and not (Image=="C:\\Windows\\system32\\wevtutil.exe" or starts_with(Image, "C:\\Windows\\winsxs\\") and ends_with(Image, "\\TiWorker.exe") or Image=="C:\\Windows\\System32\\svchost.exe" and (TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter*" or TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1\\*" or TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat\\*" or TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error\\*" or TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational\\*") or Image=="C:\\Windows\\servicing\\TrustedInstaller.exe" and TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser*") and not (Image=="" or Image is null)
Disable Windows Event Logging Via Registry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
Show query
(TargetObject:*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\* AND TargetObject:*\\Enabled AND Details:DWORD\ \(0x00000000\)) AND (NOT (Image:C\:\\Windows\\system32\\wevtutil.exe OR (Image:C\:\\Windows\\winsxs\\* AND Image:*\\TiWorker.exe) OR (Image:C\:\\Windows\\System32\\svchost.exe AND (TargetObject:(*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-FileInfoMinifilter* OR *\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-ASN1\\* OR *\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-Kernel\-AppCompat\\* OR *\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-Runtime\\Error\\* OR *\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-CAPI2\/Operational\\*))) OR (Image:C\:\\Windows\\servicing\\TrustedInstaller.exe AND TargetObject:*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-Compat\-Appraiser*))) AND (NOT (Image:"" OR (NOT _exists_:Image)))
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Show query
any where (Image:"*\\appcmd.exe" or OriginalFileName:"appcmd.exe") and (CommandLine:"*set*" and CommandLine:"*config*" and CommandLine:"*section:httplogging*" and CommandLine:"*dontLog:true*")
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\appcmd.exe") or OriginalFileName=="appcmd.exe") and CommandLine like "*set*" and CommandLine like "*config*" and CommandLine like "*section:httplogging*" and CommandLine like "*dontLog:true*"
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Show query
(Image:*\\appcmd.exe OR OriginalFileName:appcmd.exe) AND (CommandLine:*set* AND CommandLine:*config* AND CommandLine:*section\:httplogging* AND CommandLine:*dontLog\:true*)
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Show query
any where ScriptBlockText:"*Remove-EtwTraceProvider *" or (ScriptBlockText:"*Set-EtwTraceProvider *" and ScriptBlockText:"*0x11*")
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*Remove-EtwTraceProvider *" or ScriptBlockText like "*Set-EtwTraceProvider *" and ScriptBlockText like "*0x11*"
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Show query
ScriptBlockText:*Remove\-EtwTraceProvider\ * OR (ScriptBlockText:*Set\-EtwTraceProvider\ * AND ScriptBlockText:*0x11*)
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Show query
any where (ScriptBlockText:"*Disable-WindowsOptionalFeature*" and ScriptBlockText:"*-Online*" and ScriptBlockText:"*-FeatureName*") and (ScriptBlockText like~ ("*Windows-Defender-Gui*", "*Windows-Defender-Features*", "*Windows-Defender*", "*Windows-Defender-ApplicationGuard*"))Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*Disable-WindowsOptionalFeature*" and ScriptBlockText like "*-Online*" and ScriptBlockText like "*-FeatureName*" and (ScriptBlockText like "*Windows-Defender-Gui*" or ScriptBlockText like "*Windows-Defender-Features*" or ScriptBlockText like "*Windows-Defender*" or ScriptBlockText like "*Windows-Defender-ApplicationGuard*")
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Show query
(ScriptBlockText:*Disable\-WindowsOptionalFeature* AND ScriptBlockText:*\-Online* AND ScriptBlockText:*\-FeatureName*) AND (ScriptBlockText:(*Windows\-Defender\-Gui* OR *Windows\-Defender\-Features* OR *Windows\-Defender* OR *Windows\-Defender\-ApplicationGuard*))
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Show query
any where (CommandLine:"* -name IEHarden *" and CommandLine:"* -value 0 *") or (CommandLine:"* -name DEPOff *" and CommandLine:"* -value 1 *") or (CommandLine:"* -name DisableFirstRunCustomize *" and CommandLine:"* -value 2 *")
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Show query
from * metadata _id, _index, _version | where CommandLine like "* -name IEHarden *" and CommandLine like "* -value 0 *" or CommandLine like "* -name DEPOff *" and CommandLine like "* -value 1 *" or CommandLine like "* -name DisableFirstRunCustomize *" and CommandLine like "* -value 2 *"
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Show query
(CommandLine:*\ \-name\ IEHarden\ * AND CommandLine:*\ \-value\ 0\ *) OR (CommandLine:*\ \-name\ DEPOff\ * AND CommandLine:*\ \-value\ 1\ *) OR (CommandLine:*\ \-name\ DisableFirstRunCustomize\ * AND CommandLine:*\ \-value\ 2\ *)
Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
Show query
any where CommandLine:"*\\Services\\VSS\\Diag*" and CommandLine:"*/d Disabled*"
Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
Show query
from * metadata _id, _index, _version | where CommandLine like "*\\Services\\VSS\\Diag*" and CommandLine like "*/d Disabled*"
Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
Show query
CommandLine:*\\Services\\VSS\\Diag* AND CommandLine:*\/d\ Disabled*
Disabled Windows Defender Eventlog
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
Show query
any where TargetObject:"*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled*" and Details:"DWORD (0x00000000)"
Disabled Windows Defender Eventlog
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled*" and Details=="DWORD (0x00000000)"
Disabled Windows Defender Eventlog
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
Show query
TargetObject:*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft\-Windows\-Windows\ Defender\/Operational\\Enabled* AND Details:DWORD\ \(0x00000000\)
Disabling Lsa Protection via Registry Modification
LSA protecton is provided to prevent nonprotected processes from reading memory and injecting code. This feature
provides added security for the credentials that LSA stores and manages. Adversaries may modify the RunAsPPL registry
and wait or initiate a system restart to enable Lsass credentials access.
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
Show query
any where Operation:"*Disable Strong Authentication.*"
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
Show query
from * metadata _id, _index, _version | where Operation like "*Disable Strong Authentication.*"
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
Show query
Operation:*Disable\ Strong\ Authentication.*
Showing 1351-1400 of 12,787