Windows Defender Service Disabled - Registry
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
Sigma rule (View on GitHub)
1title: Windows Defender Service Disabled - Registry
2id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
3status: experimental
4description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
5references:
6 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
7 - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
8author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
9date: 2022-08-01
10modified: 2024-03-25
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 TargetObject|endswith: '\Services\WinDefend\Start'
20 Details: 'DWORD (0x00000004)'
21 condition: selection
22falsepositives:
23 - Administrator actions
24level: high
References
-
Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility