![]() Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy. Investigate other alerts associated with the user/host during the past 48 hours. Contact the account owner and confirm whether they are aware of this activity. ![]() Identify the user account that performed the action and whether it should perform this kind of action. ![]() Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. Investigate the process execution chain (parent process tree) for unknown processes. This rule monitors the registry for modifications that disable Windows Defender features. Disabling it is a common step in threat actor playbooks. Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. # Investigating Microsoft Windows Defender Tampering
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |