Windows Defender Threat Detection Disabled - Service

Detects the "Windows Defender Threat Protection" service has been disabled

Sigma rule (View on GitHub)

 1title: Windows Defender Threat Detection Disabled - Service
 2id: 6c0a7755-6d31-44fa-80e1-133e57752680
 3related:
 4    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 5      type: derived
 6status: stable
 7description: Detects the "Windows Defender Threat Protection" service has been disabled
 8references:
 9    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
11author: Ján Trenčanský, frack113
12date: 2020/07/28
13modified: 2023/08/08
14tags:
15    - attack.defense_evasion
16    - attack.t1562.001
17logsource:
18    product: windows
19    service: system
20detection:
21    selection:
22        EventID: 7036
23        Provider_Name: 'Service Control Manager'
24        # Note: The service name and messages are localized
25        param1:
26            - 'Windows Defender Antivirus Service'
27            - 'Service antivirus Microsoft Defender' # French OS
28        param2:
29            - 'stopped'
30            - 'arrêté'
31    condition: selection
32falsepositives:
33    - Administrator actions
34    - Auto updates of Windows Defender causes restarts
35level: medium

References

Related rules

to-top