cscli scenarios install sigmahq/proc_creation_win_reg_disable_sec_services1type: trigger2name: sigmahq/proc_creation_win_reg_disable_sec_services3description: |4 Detects execution of "reg.exe" to disable security services such as Windows Defender.5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine contains 'reg' && evt.Parsed.CommandLine contains 'add' && evt.Parsed.CommandLine contains 'd 4' && evt.Parsed.CommandLine contains 'v Start' && (evt.Parsed.CommandLine contains '\\AppIDSvc' || evt.Parsed.CommandLine contains '\\MsMpSvc' || evt.Parsed.CommandLine contains '\\NisSrv' || evt.Parsed.CommandLine contains '\\SecurityHealthService' || evt.Parsed.CommandLine contains '\\Sense' || evt.Parsed.CommandLine contains '\\UsoSvc' || evt.Parsed.CommandLine contains '\\WdBoot' || evt.Parsed.CommandLine contains '\\WdFilter' || evt.Parsed.CommandLine contains '\\WdNisDrv' || evt.Parsed.CommandLine contains '\\WdNisSvc' || evt.Parsed.CommandLine contains '\\WinDefend' || evt.Parsed.CommandLine contains '\\wscsvc' || evt.Parsed.CommandLine contains '\\wuauserv'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t1562.0011516 label: "Security Service Disabled Via Reg.EXE"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324