Techniques
Sample rules
Windows DISM Remove Defender
- source: splunk
- technicques:
- T1562.001
- T1562
Description
The following analytic identifies the use of the Windows Disk Image Utility, dism.exe
, to remove Windows Defender. Adversaries may use dism.exe
to disable Defender before completing their objective.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dism.exe (Processes.process="*/online*" AND Processes.process="*/disable-feature*" AND Processes.process="*Windows-Defender*" AND Processes.process="*/remove*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_dism_remove_defender_filter`