Windows Defender Grace Period Expired
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
Sigma rule (View on GitHub)
1title: Windows Defender Grace Period Expired
2id: 360a1340-398a-46b6-8d06-99b905dc69d2
3related:
4 - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
5 type: obsolete
6status: stable
7description: |
8 Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
9references:
10 - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
11 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
12 - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
13author: Ján Trenčanský, frack113
14date: 2020-07-28
15modified: 2023-11-22
16tags:
17 - attack.defense-evasion
18 - attack.t1562.001
19logsource:
20 product: windows
21 service: windefend
22detection:
23 selection:
24 EventID: 5101 # The antimalware platform is expired.
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Recently I was demo-ing Azure Sentinel to a large organization, and someone asked me “what if an attacker manages to compromise my system and disabled Windows Defender” Well…what if the…
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility