Windows Defender Threat Detection Disabled

calendarMar 15, 2023 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedincopy

Detects disabling Windows Defender threat protection

Sigma rule (View on GitHub)

 1title: Windows Defender Threat Detection Disabled
 2id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 3status: stable
 4description: Detects disabling Windows Defender threat protection
 5references:
 6    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 8author: Ján Trenčanský, frack113
 9date: 2020/07/28
10modified: 2022/12/06
11tags:
12    - attack.defense_evasion
13    - attack.t1562.001
14logsource:
15    product: windows
16    service: windefend
17detection:
18    selection:
19        EventID:
20            - 5001 # Real-time protection is disabled.
21            - 5010 # Scanning for malware and other potentially unwanted software is disabled.
22            - 5012 # Scanning for viruses is disabled.
23            - 5101 # The antimalware platform is expired.
24    condition: selection
25falsepositives:
26    - Administrator actions (should be investigated)
27    - Seen being triggered occasionally during Windows 8 Defender Updates
28level: high

Related rules

to-top