Skip to content

Hide Navigation Hide TOC

Suspicious Uninstall of Windows Defender Feature via PowerShell (c443012c-7928-43bf-ac20-7eda5efe61ad)

Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Suspicious Uninstall of Windows Defender Feature via PowerShell (c443012c-7928-43bf-ac20-7eda5efe61ad) Sigma-Rules 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2