Win App Defender Disabling

Date: 2025-08-12 ID: 00860277-5bb2-4d92-b5c8-cb1693610ec0 Author: Generated by dataset_analyzer.py Environment: attack_range Directory: win_app_defender_disabling

Description

Automatically categorized datasets in directory win_app_defender_disabling

MITRE ATT&CK Techniques

ID	Technique	Tactic
T1562.001	Disable or Modify Tools	Defense Evasion

Environment Details

Field	Value
Environment	attack_range
Directory	win_app_defender_disabling
Test Date	2025-08-12

Datasets

The following datasets were collected during this attack simulation:

Windows-Xml

Path: /datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Windows-Sysmon

Path: /datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Disabling SystemRestore In Registry	`TTP`	Endpoint	T1490	Windows Defense Evasion Tactics, Windows Registry Abuse, NjRAT
Disable Show Hidden Files	`Anomaly`	Endpoint	T1112, T1562.001, T1564.001	Windows Defense Evasion Tactics, Windows Registry Abuse, Azorult
Disabling Firewall with Netsh	`Anomaly`	Endpoint	T1562.001	Windows Defense Evasion Tactics, BlackByte Ransomware
Disable Registry Tool	`TTP`	Endpoint	T1112, T1562.001	Windows Defense Evasion Tactics, Windows Registry Abuse, NjRAT
Disabling FolderOptions Windows Feature	`TTP`	Endpoint	T1562.001	Windows Defense Evasion Tactics, CISA AA23-347A, Windows Registry Abuse
Disabling Task Manager	`TTP`	Endpoint	T1562.001	Windows Defense Evasion Tactics, Windows Registry Abuse, NjRAT
Disabling CMD Application	`TTP`	Endpoint	T1112, T1562.001	Windows Defense Evasion Tactics, Windows Registry Abuse, NjRAT
Disable Windows Behavior Monitoring	`TTP`	Endpoint	T1562.001	Windows Defense Evasion Tactics, CISA AA23-347A, Revil Ransomware, Azorult, Windows Registry Abuse, Black Basta Ransomware, Ransomware, RedLine Stealer, Cactus Ransomware, Scattered Lapsus$ Hunters
Disabling NoRun Windows App	`TTP`	Endpoint	T1112, T1562.001	Windows Defense Evasion Tactics, Windows Registry Abuse
Disable Windows SmartScreen Protection	`TTP`	Endpoint	T1562.001	Windows Defense Evasion Tactics, CISA AA23-347A, Windows Registry Abuse
Disabling ControlPanel	`TTP`	Endpoint	T1112, T1562.001	Windows Defense Evasion Tactics, Windows Registry Abuse

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-xml.log --index attack_data

Manual Import

Download the dataset files from the paths listed above
Configure your Splunk instance with the appropriate sourcetypes
Import the logs using the Splunk Add Data wizard

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0