Windows Defender Submit Sample Feature Disabled

Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.

Sigma rule (View on GitHub)

 1title: Windows Defender Submit Sample Feature Disabled
 2id: 91903aba-1088-42ee-b680-d6d94fe002b0
 3related:
 4    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
 5      type: similar
 6    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886
 7      type: similar
 8    - id: 801bd44f-ceed-4eb6-887c-11544633c0aa
 9      type: similar
10status: stable
11description: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
12references:
13    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
14    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2022/12/06
17tags:
18    - attack.defense_evasion
19    - attack.t1562.001
20logsource:
21    product: windows
22    service: windefend
23detection:
24    selection:
25        EventID: 5007 # The antimalware platform configuration changed.
26        NewValue|contains: '\Real-Time Protection\SubmitSamplesConsent = 0x0'
27    condition: selection
28falsepositives:
29    - Administrator activity (must be investigated)
30level: low

References

Related rules

to-top