Registry Set for WinDefend Deletion

Rule Info

Name
Registry Set for WinDefend Deletion
Author
MalGamy
Description
Detects the deletion of the WinDefend registry key in attempt to disable Windows Defender.
Reference
https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust
Date
2024-10-23 00:00:00
Modified
None
Id
d65668c8-772a-4cc9-8c5e-b6cccf7d3f49
Tags
attack.defense-evasion attack.persistence attack.t1112
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022