blog/source/threat-hunting/disable-microsoft-defender-registry.md at 830aea5f1179780458af5a861480967003ea6ce0

883 B

Raw Blame History

title	layout	date
Disable Microsoft Defender (Registry)	page	2025-07-27

References: 1, 2 SPL:

| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" Registry.registry_path="*\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware", "DisableAntivirus") Registry.registry_value_data="1" BY Registry.dest, Registry.action, Registry.process_guid, Registry.process_id, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data, Registry.user
| rename Registry.* AS *

883 B Raw Blame History

883 B

Raw Blame History