Windows Defender Grace Period Expired

Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.

Sigma rule (View on GitHub)

 1title: Windows Defender Grace Period Expired
 2id: 360a1340-398a-46b6-8d06-99b905dc69d2
 3related:
 4    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 5      type: obsolete
 6status: stable
 7description: |
 8        Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
 9references:
10    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
12    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
13author: Ján Trenčanský, frack113
14date: 2020-07-28
15modified: 2023-11-22
16tags:
17    - attack.defense-evasion
18    - attack.t1562.001
19logsource:
20    product: windows
21    service: windefend
22detection:
23    selection:
24        EventID: 5101 # The antimalware platform is expired.
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top