Defense_evasion

The creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities can allow attackers to inject malicious sidecars or block security tooling deployments for persistence and defense evasion.

This rule detects successful Amazon EKS UpdateClusterConfig requests that disable control plane logging, potentially indicating defense evasion via compromised AWS credentials or unauthorized administrative access that reduces visibility into cluster activity.

This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.

Detection of the use of schtasks.exe to disable scheduled tasks, a common tactic used by adversaries like IcedID to disable security applications and evade detection, potentially leading to persistence and further system compromise.

Attackers modify or disable Office 365 advanced security settings, such as AntiPhish, SafeLink, SafeAttachment, or Malware policies, to evade detection and operate with reduced risk within the target tenant.

An attacker modifies trusted IP settings in Office 365 to bypass multi-factor authentication (MFA), potentially leading to unauthorized access and data compromise.

Attackers can abuse Microsoft Intune device management configuration policies, typically used for legitimate remote device management, to disable defenses and evade detection on managed devices.

An attacker modifies an AWS S3 bucket lifecycle policy to rapidly expire CloudTrail logs, hindering incident response and forensic analysis.