LoFP LoFP / t1562.001

t1562.001

TitleTags
admin may disable firewall during testing or fixing network problem.
admin may disable problematic schedule task
admin may disable this application for non technical user.
admin or user may choose to disable this windows features.
admin or user may choose to disable windows defender product
admin or user may choose to use this windows features.
admin or user may choose to use this windows features. filter as needed.
administrative activity
administrator actions
administrator actions (should be investigated)
administrator actions via the windows defender interface
administrator activity (must be investigated)
administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated
administrator might try to disable defender features during testing (must be investigated)
administrators may execute this command that may cause some false positive.
allowed administrative activities.
auto updates of windows defender causes restarts
event deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
false positives may be present based on organization use of applocker. filter as needed.
false positives may occur with troubleshooting scripts
false positives should be limited, however filter as needed.
false positives will be limited to administrative scripts disabling hvci. filter as needed.
imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.
installer tools that disable services, e.g. before log collection agent installation
intended exclusions by administrators
it is unusual to turn this feature off a windows system since it is a default security control, although it is not rare for some policies to disable it. although no false positives have been identified, use the provided filter macro to tune the search.
legitimate activities
legitimate admin script
legitimate administration
legitimate administrative activities
legitimate administrative use (should be investigated either way)
legitimate administrator activity restoring a file
legitimate administrators might use this command to remove sysmon for debugging purposes
legitimate administrators might use this command to update sysmon configuration.
legitimate administrators removing applications (should always be investigated)
legitimate deactivation by administrative staff
legitimate deinstallation by administrative staff
legitimate driver altitude change to hide sysmon
legitimate powershell scripts
legitimate powershell scripts that disable windows defender for troubleshooting purposes. must be investigated.
legitimate programs and administrators will execute sc.exe with the start disabled flag. it is possible, but unlikely from the telemetry of normal windows operation we observed, that sc.exe will be called more than seven times in a short period of time.
legitimate script
legitimate use
legitimate user activity.
limited false positives. however, tune based on scripts that may perform this action.
minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.
msmpeng might crash if the \"c:\\" partition is full
network admin can terminate a process using this linux command. filter is needed.
network administrator can use this application to kill process during audit or investigation.
network operator may disable this feature of windows but not so common.
none identified. attempts to disable security-related services should be identified and understood.
other antivirus software installations could cause windows to disable that eventlog (unknown)
other cmdlets that may use the same parameters
other legimate tools loading drivers. including but not limited to, sysinternals, cpu-z, avs etc. a baseline needs to be created according to the used products and allowed tools. a good thing to do is to try and exclude users who are allowed to load drivers.
other legimate tools using this driver and filename (like sysinternals). note - clever attackers may easily bypass this detection by just renaming the driver filename. therefore just medium-level and don't rely on it.
other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.
other legitimate windows processes not currently listed
possible admin activity
possible administrative activity
processes related to software installation
rare legitimate add to registry via cli (to these locations)
rare legitimate use by administrators to test software (should always be investigated)
seen being triggered occasionally during windows 8 defender updates
some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required
some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate
some legitimate administrative tools leverage `dism.exe` to manipulate packages and features of the operating system. filter as needed.
third party application may use this approach to uninstall applications.
unlikely
user may choose to disable windows defender av
valid change in a trail
valid change in aws config service
valid change in the guardduty (e.g. to ignore internal scanners)
windows service update may cause this event. in that scenario, filtering is needed.