
Rule Info
Name
Windows Defender Disable Attempt via DISM
Author
Swachchhanda Shrawan Poudel
Description
Detects attempts to disable Windows Defender using Deployment Image Servicing and Management (DISM.exe) utility.
DISM is a legitimate Windows utility, which is used to install, uninstall, configure, and update the features and packages in offline Windows images and offline Windows Preinstallation Environment (WinPE) images.
Adversaries may attempt to disable Windows Defender using DISM to evade detection and prevent their malware from being caught.
This technique is particularly concerning as DISM is a legitimate Windows utility, making the malicious activity harder to distinguish from normal system administration.
Date
2025-03-18 00:00:00
Modified
None
Id
d4a80c42-e8df-4ea9-b530-73cb153796e4
Tags
attack.defense-evasion attack.t1562.001
Type
Nextron Sigma feed only (private)