Windows Defender Configuration Changes

Detects suspicious changes to the Windows Defender configuration

Sigma rule (View on GitHub)

 1title: Windows Defender Configuration Changes
 2id: 801bd44f-ceed-4eb6-887c-11544633c0aa
 3related:
 4    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
 5      type: similar
 6    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886
 7      type: similar
 8    - id: 91903aba-1088-42ee-b680-d6d94fe002b0
 9      type: similar
10status: stable
11description: Detects suspicious changes to the Windows Defender configuration
12references:
13    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
14    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2022-12-06
17modified: 2023-11-24
18tags:
19    - attack.defense-evasion
20    - attack.t1562.001
21logsource:
22    product: windows
23    service: windefend
24detection:
25    selection:
26        EventID: 5007 # The antimalware platform configuration changed.
27        NewValue|contains:
28            # TODO: Add more suspicious values
29            - '\Windows Defender\DisableAntiSpyware '
30            # - '\Windows Defender\Features\TamperProtection ' # Might produce FP
31            - '\Windows Defender\Scan\DisableRemovableDriveScanning '
32            - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan '
33            - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen '
34            - '\Real-Time Protection\SpyNetReporting '
35            # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
36            # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886
37    condition: selection
38falsepositives:
39    - Administrator activity (must be investigated)
40level: high

References

Related rules

to-top