Disabled Windows Defender Eventlog
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
Sigma rule (View on GitHub)
1title: Disabled Windows Defender Eventlog
2id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
3status: test
4description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
5references:
6 - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
7author: Florian Roth (Nextron Systems)
8date: 2022-07-04
9modified: 2023-08-17
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
19 Details: 'DWORD (0x00000000)'
20 condition: selection
21falsepositives:
22 - Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
23level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility