Windows Defender Threat Severity Default Action Modified

 1title: Windows Defender Threat Severity Default Action Modified
 2id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
 3related:
 4    - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
 5      type: similar
 6status: experimental
 7description: |
 8    Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
 9    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
10    allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.    
11references:
12    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
13    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
14    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
15    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
16    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
17author: 'Matt Anderson (Huntress)'
18date: 2025-07-11
19tags:
20    - attack.defense-evasion
21    - attack.t1562.001
22logsource:
23    category: registry_event
24    product: windows
25detection:
26    selection:
27        TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
28        TargetObject|endswith:
29            - '\1' # Low severity
30            - '\2' # Moderate severity
31            - '\4' # High severity
32            - '\5' # Severe severity
33        Details:
34            - 'DWORD (0x00000006)' # Allow
35            - 'DWORD (0x00000009)' # NoAction
36    condition: selection
37falsepositives:
38    - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
39    - Software installations that legitimately modify Defender settings (less common for these specific keys).
40level: high

References

• Set-MpPreference (Defender)

  

  The Set-MpPreference cmdlet configures preferences for Windows Defender scans and updates.

  
  Read More

• ThreatSeverityDefaultAction

  

  ThreatSeverityDefaultAction

  
  Read More

• https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952

  
  Read More

• quick-disable-windows-defender.bat

  

  GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

• IcedID to XingLocker Ransomware in 24 hours

  

  Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…

  
  Read More

Related rules

• Disabling Windows Defender WMI Autologger Session via Reg.exe
• PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
• Windows Defender Context Menu Removed
• Antivirus Filter Driver Disallowed On Dev Drive - Registry
• Disable ASLR Via Personality Syscall - Linux