Windows Defender Threat Detection Service Disabled

calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects when the "Windows Defender Threat Protection" service is disabled.

Sigma rule (View on GitHub)

 1title: Windows Defender Threat Detection Service Disabled
 2id: 6c0a7755-6d31-44fa-80e1-133e57752680
 3related:
 4    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 5      type: derived
 6status: stable
 7description: Detects when the "Windows Defender Threat Protection" service is disabled.
 8references:
 9    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
11author: Ján Trenčanský, frack113
12date: 2020-07-28
13modified: 2024-07-02
14tags:
15    - attack.defense-evasion
16    - attack.t1562.001
17logsource:
18    product: windows
19    service: system
20detection:
21    selection:
22        EventID: 7036
23        Provider_Name: 'Service Control Manager'
24        # Note: The service name and messages are localized
25        param1:
26            - 'Windows Defender Antivirus Service'
27            - 'Service antivirus Microsoft Defender' # French OS
28        param2:
29            - 'stopped'
30            - 'arrêté' # French OS
31    condition: selection
32falsepositives:
33    - Administrator actions
34    - Auto updates of Windows Defender causes restarts
35level: medium

References

Related rules

to-top