Product
Windows Defender Disabled via Registry Modification
2 rules 3 TTPsAttackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.
Disabling Windows Defender Security Settings via PowerShell
2 rules 2 TTPsAttackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.
Potential RemoteMonologue Attack via Registry Modification
2 rules 4 TTPsThis rule detects potential RemoteMonologue attacks by identifying attempts to perform session hijacking via COM object registry modification, specifically when the RunAs value is set to Interactive User.
Suspicious Microsoft Antimalware Service Executable Execution
3 rules 1 TTPDetects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.
Suspicious LSASS Process Access
3 rules 1 TTPThis rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.
MpCmdRun.exe Used for Remote File Download
2 rules 1 TTPAttackers are abusing the Windows Defender MpCmdRun.exe utility to download remote files, potentially delivering malware or offensive tools into compromised systems.
Disabling Windows Defender Security Settings via PowerShell
3 rules 2 TTPsAttackers use PowerShell commands like Set-MpPreference or Add-MpPreference, often with base64 encoding, to disable or weaken Windows Defender security settings in order to evade detection and execute malicious payloads.