← Back to SOC feed Coverage →

Security Service Disabled Via Reg.EXE

sigma HIGH SigmaHQ
T1685
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-17T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects execution of “reg.exe” to disable security services such as Windows Defender.

Detection Rule

Sigma (Original)

title: Security Service Disabled Via Reg.EXE
id: 5e95028c-5229-4214-afae-d653d573d0ec
status: test
description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
references:
    - https://twitter.com/JohnLaTwC/status/1415295021041979392
    - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
    - https://vms.drweb.fr/virus/?i=24144899
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
date: 2021-07-14
modified: 2023-06-05
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_add:
        CommandLine|contains|all:
            - 'reg'
            - 'add'
    selection_cli_reg_start:
        CommandLine|contains|all:
            - 'd 4'
            - 'v Start'
        CommandLine|contains:
            - '\AppIDSvc'
            - '\MsMpSvc'
            - '\NisSrv'
            - '\SecurityHealthService'
            - '\Sense'
            - '\UsoSvc'
            - '\WdBoot'
            - '\WdFilter'
            - '\WdNisDrv'
            - '\WdNisSvc'
            - '\WinDefend'
            - '\wscsvc'
            - '\wuauserv'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine contains "reg" and TargetProcessCommandLine contains "add") and ((TargetProcessCommandLine contains "d 4" and TargetProcessCommandLine contains "v Start") and (TargetProcessCommandLine contains "\\AppIDSvc" or TargetProcessCommandLine contains "\\MsMpSvc" or TargetProcessCommandLine contains "\\NisSrv" or TargetProcessCommandLine contains "\\SecurityHealthService" or TargetProcessCommandLine contains "\\Sense" or TargetProcessCommandLine contains "\\UsoSvc" or TargetProcessCommandLine contains "\\WdBoot" or TargetProcessCommandLine contains "\\WdFilter" or TargetProcessCommandLine contains "\\WdNisDrv" or TargetProcessCommandLine contains "\\WdNisSvc" or TargetProcessCommandLine contains "\\WinDefend" or TargetProcessCommandLine contains "\\wscsvc" or TargetProcessCommandLine contains "\\wuauserv"))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml