feat(rules): New Windows Defender driver unloading rule

rabbitstack · rabbitstack · commit dcab3fcc0ecb · 2025-07-24T19:08:17.000+02:00
Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys, which may indicate an attempt to impair or disable antivirus protections.
 Adversaries may unload these drivers to bypass or disable real-time scanning, file system filtering, or ELAM (Early Launch Anti-Malware) protections. Legitimate driver unloads are rare and should be investigated to rule out malicious tampering or post-exploitation activity.
diff --git a/rules/defense_evasion_windows_defender_driver_unloading.yml b/rules/defense_evasion_windows_defender_driver_unloading.yml
@@ -0,0 +1,28 @@
+name: Windows Defender driver unloading
+id: c9b93fbc-8845-4f39-a74b-26862615432c
+version: 1.0.0
+description: |
+  Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys,
+  which may indicate an attempt to impair or disable antivirus protections. 
+  Adversaries may unload these drivers to bypass or disable real-time scanning, file system filtering, 
+  or ELAM (Early Launch Anti-Malware) protections. Legitimate driver unloads are rare and should be 
+  investigated to rule out malicious tampering or post-exploitation activity.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1562
+  technique.name: Impair Defenses
+  technique.ref: https://attack.mitre.org/techniques/T1562/
+  subtechnique.id: T1562.001
+  subtechnique.name: Disable or Modify Tools
+  subtechnique.ref: https://attack.mitre.org/techniques/T1562/001
+
+condition: >
+  unload_driver and image.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys')
+
+output: >
+  Windows Defender driver %image.path unloaded by process %ps.exe
+severity: high
+
+min-engine-version: 3.0.0
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
@@ -135,7 +135,7 @@
     watching for driver objects being created.
 
 - macro: unload_driver
-  expr: unload_image and (image.name iendswith '.sys' or image.is_driver)
+  expr: unload_module and (image.name iendswith '.sys' or image.is_driver)
 
 - macro: load_unsigned_module
   expr: >
