Windows Defender Grace Period Expired
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
Sigma rule (View on GitHub)
1title: Windows Defender Grace Period Expired
2id: 360a1340-398a-46b6-8d06-99b905dc69d2
3related:
4 - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
5 type: obsoletes
6status: stable
7description: |
8 Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
9references:
10 - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
11 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
12 - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
13author: Ján Trenčanský, frack113
14date: 2020/07/28
15modified: 2023/11/22
16tags:
17 - attack.defense_evasion
18 - attack.t1562.001
19logsource:
20 product: windows
21 service: windefend
22detection:
23 selection:
24 EventID: 5101 # The antimalware platform is expired.
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Recently I was demo-ing Azure Sentinel to a large organization, and someone asked me “what if an attacker manages to compromise my system and disabled Windows Defender” Well…what if the…
Read More
Related rules
- Windows Defender Configuration Changes
- Windows Defender Exclusions Added
- Windows Defender Exploit Guard Tamper
- Windows Defender Malware And PUA Scanning Disabled
- Windows Defender Real-time Protection Disabled