Windows Defender Disable Attempt via DISM

Rule Info

Name
Windows Defender Disable Attempt via DISM
Author
Swachchhanda Shrawan Poudel
Description
Detects attempts to disable Windows Defender using Deployment Image Servicing and Management (DISM.exe) utility. DISM is a legitimate Windows utility, which is used to install, uninstall, configure, and update the features and packages in offline Windows images and offline Windows Preinstallation Environment (WinPE) images. Adversaries may attempt to disable Windows Defender using DISM to evade detection and prevent their malware from being caught. This technique is particularly concerning as DISM is a legitimate Windows utility, making the malicious activity harder to distinguish from normal system administration.
Reference
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/deployment-image-servicing-and-management--dism--command-line-options?view=windows-11
Date
2025-03-18 00:00:00
Modified
None
Id
d4a80c42-e8df-4ea9-b530-73cb153796e4
Tags
attack.defense-evasion attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022