Skip to content

feat(rules): New Windows Defender driver unloading rule #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rabbitstack merged 1 commit into from
Jul 24, 2025
Merged

feat(rules): New Windows Defender driver unloading rule #526

rabbitstack merged 1 commit into from
Jul 24, 2025

Conversation

@rabbitstack
Copy link
Owner

@rabbitstack rabbitstack commented Jul 21, 2025

What is the purpose of this PR / why it is needed?

Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys, which may indicate an attempt to impair or disable antivirus protections.

Adversaries may unload these drivers to bypass or disable real-time scanning, file system filtering, or ELAM (Early Launch Anti-Malware) protections. Legitimate driver unloads are rare and should be investigated to rule out malicious tampering or post-exploitation activity.

What type of change does this PR introduce?

Uncomment one or more /kind <> lines:

/kind feature (non-breaking change which adds functionality)

/kind bug-fix (non-breaking change which fixes an issue)

/kind refactor (non-breaking change that restructures the code, while not changing the original functionality)

/kind breaking (fix or feature that would cause existing functionality to not work as expected

/kind cleanup

/kind improvement

/kind design

/kind documentation

/kind other (change that doesn't pertain to any of the above categories)

Any specific area of the project related to this PR?

Uncomment one or more /area <> lines:

/area instrumentation

/area telemetry

/area rule-engine

/area filters

/area yara

/area event

/area captures

/area alertsenders

/area outputs

/area rules

/area filaments

/area config

/area cli

/area tests

/area ci

/area build

/area docs

/area deps

/area other

Special notes for the reviewer

Does this PR introduce a user-facing change?

@rabbitstack
feat(rules): New Windows Defender driver unloading rule
7847e92 
 Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys, which may indicate an attempt to impair or disable antivirus protections.
 Adversaries may unload these drivers to bypass or disable real-time scanning, file system filtering, or ELAM (Early Launch Anti-Malware) protections. Legitimate driver unloads are rare and should be investigated to rule out malicious tampering or post-exploitation activity.
@rabbitstack rabbitstack added the rules Anything related to detection rules label Jul 21, 2025
@rabbitstack rabbitstack merged commit dcab3fc into master Jul 24, 2025
11 checks passed
@rabbitstack rabbitstack deleted the unloading-windows-defender-driver-rule branch July 24, 2025 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

rules Anything related to detection rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rabbitstack