Microsoft Defender Tamper Protection Trigger

Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"

Sigma rule (View on GitHub)

 1title: Microsoft Defender Tamper Protection Trigger
 2id: 49e5bc24-8b86-49f1-b743-535f332c2856
 3status: stable
 4description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
 5references:
 6    - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
 7    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
 8author: Bhabesh Raj, Nasreddine Bencherchali
 9date: 2021/07/05
10modified: 2022/12/06
11tags:
12    - attack.defense_evasion
13    - attack.t1562.001
14logsource:
15    product: windows
16    service: windefend
17detection:
18    selection:
19        EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
20        Value|endswith:
21            - '\Windows Defender\DisableAntiSpyware'
22            - '\Windows Defender\DisableAntiVirus'
23            - '\Windows Defender\Scan\DisableArchiveScanning'
24            - '\Windows Defender\Scan\DisableScanningNetworkFiles'
25            - '\Real-Time Protection\DisableRealtimeMonitoring'
26            - '\Real-Time Protection\DisableBehaviorMonitoring'
27            - '\Real-Time Protection\DisableIOAVProtection'
28            - '\Real-Time Protection\DisableScriptScanning'
29    condition: selection
30falsepositives:
31    - Administrator might try to disable defender features during testing (must be investigated)
32level: high

References

Related rules

to-top