Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines
Sigma rule (View on GitHub)
1title: Windows Defender Threat Detected
2id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
3status: stable
4description: Detects actions taken by Windows Defender malware detection engines
5references:
6 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
7author: Ján Trenčanský
8date: 2020/07/28
9tags:
10 - attack.execution
11 - attack.t1059
12logsource:
13 product: windows
14 service: windefend
15detection:
16 selection:
17 EventID:
18 - 1006 # The antimalware engine found malware or other potentially unwanted software.
19 - 1015 # The antimalware platform detected suspicious behavior.
20 - 1116 # The antimalware platform detected malware or other potentially unwanted software.
21 - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
Related rules
- Add Potential Suspicious New Download Source To Winget
- Elevated System Shell Spawned From Uncommon Parent Location
- Windows Defender AMSI Trigger Detected
- Fsutil Behavior Set SymlinkEvaluation
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)