Windows Defender Threat Detected

Dec 21, 2023 · attack.execution attack.t1059 ·

Detects actions taken by Windows Defender malware detection engines

Sigma rule (View on GitHub)

 1title: Windows Defender Threat Detected
 2id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
 3status: stable
 4description: Detects actions taken by Windows Defender malware detection engines
 5references:
 6    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
 7author: Ján Trenčanský
 8date: 2020/07/28
 9tags:
10    - attack.execution
11    - attack.t1059
12logsource:
13    product: windows
14    service: windefend
15detection:
16    selection:
17        EventID:
18            - 1006 # The antimalware engine found malware or other potentially unwanted software.
19            - 1015 # The antimalware platform detected suspicious behavior.
20            - 1116 # The antimalware platform detected malware or other potentially unwanted software.
21            - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint

Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors.

Read More

Windows Defender Threat Detected

Sigma rule (View on GitHub)

References

Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint

Related rules