Windows Defender Threat Detected

Detects actions taken by Windows Defender malware detection engines

Sigma rule (View on GitHub)

 1title: Windows Defender Threat Detected
 2id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
 3status: stable
 4description: Detects actions taken by Windows Defender malware detection engines
 5references:
 6    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
 7author: Ján Trenčanský
 8date: 2020-07-28
 9tags:
10    - attack.execution
11    - attack.t1059
12logsource:
13    product: windows
14    service: windefend
15detection:
16    selection:
17        EventID:
18            - 1006 # The antimalware engine found malware or other potentially unwanted software.
19            - 1015 # The antimalware platform detected suspicious behavior.
20            - 1116 # The antimalware platform detected malware or other potentially unwanted software.
21            - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

Related rules

to-top