Techniques
Sample rules
Disabled Volume Snapshots
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects commands that temporarily turn off Volume Snapshots
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- \Services\VSS\Diag
- /d Disabled
Potential Tampering With Security Products Via WMIC
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects uninstallation or termination of security products using the WMIC utility
Detection logic
condition: 1 of selection_cli_* and selection_product
selection_cli_1:
CommandLine|contains|all:
- wmic
- 'product where '
- call
- uninstall
- /nointeractive
selection_cli_2:
CommandLine|contains:
- call delete
- call terminate
CommandLine|contains|all:
- wmic
- 'caption like '
selection_cli_3:
CommandLine|contains|all:
- 'process '
- 'where '
- delete
selection_product:
CommandLine|contains:
- '%carbon%'
- '%cylance%'
- '%endpoint%'
- '%eset%'
- '%malware%'
- '%Sophos%'
- '%symantec%'
- Antivirus
- 'AVG '
- Carbon Black
- CarbonBlack
- Cb Defense Sensor 64-bit
- Crowdstrike Sensor
- 'Cylance '
- Dell Threat Defense
- DLP Endpoint
- Endpoint Detection
- Endpoint Protection
- Endpoint Security
- Endpoint Sensor
- ESET File Security
- LogRhythm System Monitor Service
- Malwarebytes
- McAfee Agent
- Microsoft Security Client
- Sophos Anti-Virus
- Sophos AutoUpdate
- Sophos Credential Store
- Sophos Management Console
- Sophos Management Database
- Sophos Management Server
- Sophos Remote Management System
- Sophos Update Manager
- Threat Protection
- VirusScan
- Webroot SecureAnywhere
- Windows Defender