In the past, the Binary Defense Security Operations Task Force has responded to PurpleFox and quickly identified it for further hunting. If PowerShell logging is enabled on a host, there are several ways to monitor for the actions PurpleFox will take. One of which is a high number of calls (6+) for the cmdlet Set-MpPreference to disable Windows Defender. Along that same vein, PurpleFox will make an increased number of calls (10+) to spawn cmd.exe child processes. The vast majority of the calls to cmd are to call reg.exe for continuous attempts to disable Windows Defender. Lastly, building detections to catch wmic attempts to scan for AntiVirus software being enabled is an evergreen detection that is effective when malware is looking to gain a foothold on a system. Pulling this information from centralized logging sources and continuous monitoring make these kinds of investigations and detections possible to get ahead of threats before they grow into a larger incident.