In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Impair Defenses Disable or Modify Tools Defense Evasion Medium

D3FEND Techniques

ID Name
D3-PSA Process Spawn Analysis

Data Model References

Object Action Field
process create command_line

Implementations

Splunk search - Detecting Tampering of Windows Defender Command Prompt (Splunk, Sysmon native)

This query looks for the specific use of service control for querying or trying to stop Windows Defender.

index= __your_sysmon__index__ EventCode=1 Image = "C:\\Windows\\System32\\sc.exe"  | regex CommandLine="^sc\s*(config|stop|query)\sWinDefend$"

Splunk search - Detecting Tampering of Windows Defender Command Prompt (Pseudocode)

This query looks for the specific use of service control for querying or trying to stop Windows Defender.

processes = search Process:Create
target_processes = filter processes where (
                   (exe="C:\\Windows\\System32\\sc.exe") AND (command_line="sc *config*" OR command_line="sc *stop*" OR command_line="sc *query*")
                   )
output target_processes