Suspicious Uninstall of Windows Defender Feature via PowerShell

Rule Info

Name
Suspicious Uninstall of Windows Defender Feature via PowerShell
Author
yxinmiracle
Description
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
Reference
https://learn.microsoft.com/en-us/powershell/module/microsoft.windows.servermanager.migration/uninstall-windowsfeature
Date
2025-08-22 00:00:00
Modified
None
Id
c443012c-7928-43bf-ac20-7eda5efe61ad
Tags
attack.defense-evasion attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c443012c-7928-43bf-ac20-7eda5efe61ad

Rule History

Author
Title
Date
Commit
YxinMiracle
Merge PR #5619 from @YxinMiracle - Suspicious Uninstall of Windows Defender Feature via PowerShell
2025-10-01
27be608a2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022