Created
May 31, 2020 11:13
-
-
Save alexverboon/bb63249f49ff3eaa98c911da7243f89b to your computer and use it in GitHub Desktop.
T1089 - Disabling Security Tools - using sc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // T1089 - Disabling Security Tools | |
| // https://attack.mitre.org/techniques/T1089/ | |
| search in (DeviceProcessEvents) | |
| FileName == "sc.exe" | |
| | where ProcessCommandLine has_any ("stop Wuauserv","stop WinDefend","stop wscsvc","stop mpssvc" ,"stop Sense","stop WdNisSvc","stop DiagTrack","stop gpsvc") | |
| | extend SecurityTool = iff(ProcessCommandLine contains "stop wuauserv","Windows Update" | |
| ,iff(ProcessCommandLine contains "stop WinDefend","Windows Defender",iff(ProcessCommandLine contains "stop wscsvc", "Defender Security Center" | |
| ,iff(ProcessCommandLine contains "stop mpssvc","Defender Firewall",iff(ProcessCommandLine contains "stop WdNisSvc","Defender Antivirus Network Inspection" | |
| ,iff(ProcessCommandLine contains "stop diagtrack","Telemetry",iff(ProcessCommandLine contains "stop gpsvc","Group Policy" | |
| ,iff(ProcessCommandLine contains "stop sense","Defender ATP","Unknown")))))))) | |
| | project-reorder SecurityTool | |
| | order by Timestamp | |
| // Wuauserv = Windows Update | |
| // WinDefend = Windows Defender | |
| // Sense = Defender ATP | |
| // wscsvc = Windows Security Center | |
| // mpssvc = Windows Defender Firewall | |
| // WdNisSvc = Microsoft Defender Antivirus Network Inspection Service | |
| // DiagTrack = Connected User Experiences and Telemetry | |
| // gpsvc = Group Policy Client |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Semantic error
Error message
No tabular expression statement found
How to resolve
Fix semantic errors in your query