Windows Defender Disabled Via SystemSettingsAdminFlows.EXE

Detects the usage of SystemSettingsAdminFlows.exe to disable Windows Defender. SystemSettingsAdminFlows.exe is a legitimate Windows component used for administrative configuration tasks. However, attackers may abuse it to disable Windows Defender as part of their attack chain, especially in the context of ransomware or other malware campaigns.

Sigma rule (View on GitHub)

 1title: Windows Defender Disabled Via SystemSettingsAdminFlows.EXE
 2id: da92713f-ca2d-4fab-8320-098013d3f43a
 3status: experimental
 4description: |
 5    Detects the usage of SystemSettingsAdminFlows.exe to disable Windows Defender.
 6    SystemSettingsAdminFlows.exe is a legitimate Windows component used for administrative configuration tasks.
 7    However, attackers may abuse it to disable Windows Defender as part of their attack chain, especially in the context of ransomware or other malware campaigns.    
 8references:
 9    - https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
10    - https://www.huntress.com/blog/lolbin-to-inc-ransomware
11tags:
12    - attack.defense-impairment
13    - attack.t1685
14author: Chirag Damani (KPMG India), Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2026-07-01
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_ssaf_img:
21        - Image|endswith: '\SystemSettingsAdminFlows.exe'
22        - OriginalFileName: 'SystemSettingsAdminFlows.EXE'
23    selection_ssaf_cli:
24        CommandLine|contains: 'defender'
25    selection_cli_enable_opt:
26        CommandLine|contains:
27            - 'RTP '
28            - 'RealTimeProtection '
29            - 'DisableEnhancedNotifications '
30    selection_cli_enable_value:
31        CommandLine|contains: '1'
32    selection_cli_disable_opt:
33        CommandLine|contains:
34            - 'SubmitSamplesConsent '
35            - 'SpyNetReporting '
36            - 'DisableCDPUserAuthPolicy '
37    selection_cli_disable_value:
38        CommandLine|contains: '0'
39    # In Enterprise environments, if defender was disabled via GUI, it would be expected to see the following parent-child process relationship:
40    # Thus, uncomment the below filter to exclude such cases because of high false positives:
41    # filter_main_gui_options:
42    #     ParentImage|endswith:
43    #         - '\SystemSettings.exe'
44    #         - '\Explorer.exe'
45    condition: all of selection_ssaf_* and (all of selection_cli_enable_* or all of selection_cli_disable_*)
46falsepositives:
47    - Legitimate turn off of Windows Defender by the technical users or administrators for troubleshooting or other purposes.
48level: high
49regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_systemsettingsadminflows_defender_disable/info.yml

References

Related rules

to-top