Windows Defender Threat Detection Disabled - Service
Detects the "Windows Defender Threat Protection" service has been disabled
Sigma rule (View on GitHub)
1title: Windows Defender Threat Detection Disabled - Service
2id: 6c0a7755-6d31-44fa-80e1-133e57752680
3related:
4 - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
5 type: derived
6status: stable
7description: Detects the "Windows Defender Threat Protection" service has been disabled
8references:
9 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
10 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
11author: Ján Trenčanský, frack113
12date: 2020/07/28
13modified: 2023/08/08
14tags:
15 - attack.defense_evasion
16 - attack.t1562.001
17logsource:
18 product: windows
19 service: system
20detection:
21 selection:
22 EventID: 7036
23 Provider_Name: 'Service Control Manager'
24 # Note: The service name and messages are localized
25 param1:
26 - 'Windows Defender Antivirus Service'
27 - 'Service antivirus Microsoft Defender' # French OS
28 param2:
29 - 'stopped'
30 - 'arrêté'
31 condition: selection
32falsepositives:
33 - Administrator actions
34 - Auto updates of Windows Defender causes restarts
35level: medium
References
Related rules
- Disable Windows Defender AV Security Monitoring
- Disable-WindowsOptionalFeature Command PowerShell
- Dism Remove Online Package
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- AMSI Bypass Pattern Assembly GetType