Skip to content

Hide Navigation Hide TOC

Suspicious Uninstall of Windows Defender Feature via PowerShell (c443012c-7928-43bf-ac20-7eda5efe61ad)

Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Suspicious Uninstall of Windows Defender Feature via PowerShell (c443012c-7928-43bf-ac20-7eda5efe61ad) Sigma-Rules 1