Windows Defender Threat Detection Disabled - Service

Apr 14, 2023 · attack.defense_evasion attack.t1562.001 ·

Share on:

Detects the "Windows Defender Threat Protection" service has been disabled

Sigma rule (View on GitHub)

 1title: Windows Defender Threat Detection Disabled - Service
 2id: 6c0a7755-6d31-44fa-80e1-133e57752680
 3related:
 4    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 5      type: derived
 6status: stable
 7description: Detects the "Windows Defender Threat Protection" service has been disabled
 8references:
 9    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
11author: Ján Trenčanský, frack113
12date: 2020/07/28
13modified: 2022/08/01
14tags:
15    - attack.defense_evasion
16    - attack.t1562.001
17logsource:
18    product: windows
19    service: system
20detection:
21    selection:
22        EventID: 7036
23        Provider_Name: 'Service Control Manager'
24        param1:
25            - 'Windows Defender Antivirus Service'
26            - 'Service antivirus Microsoft Defender' #French OS
27        param2: 'stopped'
28    condition: selection
29falsepositives:
30    - Administrator actions
31    - Auto updates of Windows Defender causes restarts
32level: low

Windows Defender Threat Detection Disabled - Service

Sigma rule (View on GitHub)

Related rules