PowerShell Restart Windows Defender

Rule Info

Name
PowerShell Restart Windows Defender
Author
X__Junior (Nextron Systems)
Description
Detects powershell restarting services related to Windows Defender
Reference
https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/
Date
2024-09-10 00:00:00
Modified
None
Id
0bd8d8d7-0fe0-4bf7-b42f-fd829eb73942
Tags
attack.credential-access attack.t1003.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022