Actor
high
threat
Windows Defender MpEngine Disabled via Registry Modification
2 rules 1 TTPAn attacker modifies the Windows Defender MpEngine registry value to disable key features, potentially allowing malware to evade detection.
Windows Defender
IcedID
defense-evasion
registry-modification
windows-defender
2r
1t
high
threat
Suspicious WMIC Application Uninstallation
2 rulesThis analytic identifies the use of the WMIC command-line tool to uninstall applications non-interactively, a technique used to evade detection by removing security software, as observed in IcedID campaigns.
Splunk Enterprise +2
IcedID
defense-evasion
application-uninstall
wmic
2r
high
threat
Scheduled Task Disablement via Schtasks.exe
2 rulesDetection of the use of schtasks.exe to disable scheduled tasks, a common tactic used by adversaries like IcedID to disable security applications and evade detection, potentially leading to persistence and further system compromise.
Splunk Enterprise +2
IcedID
persistence
defense_evasion
windows
2r