Win Defender Restored Quarantine File

Aug 12, 2024 · attack.defense-evasion attack.t1562.001 ·

Detects the restoration of files from the defender quarantine

Sigma rule (View on GitHub)

 1title: Win Defender Restored Quarantine File
 2id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b
 3status: test
 4description: Detects the restoration of files from the defender quarantine
 5references:
 6    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-12-06
 9tags:
10    - attack.defense-evasion
11    - attack.t1562.001
12logsource:
13    product: windows
14    service: windefend
15detection:
16    selection:
17        EventID: 1009 # The antimalware platform restored an item from quarantine.
18    condition: selection
19falsepositives:
20    - Legitimate administrator activity restoring a file
21level: high

References

Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint

Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors.

Read More

Win Defender Restored Quarantine File

Sigma rule (View on GitHub)

References

Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint

Related rules