Disable Tamper Protection on Windows Defender

Detects disabling Windows Defender Tamper Protection

Sigma rule (View on GitHub)

 1title: Disable Tamper Protection on Windows Defender
 2id: 93d298a1-d28f-47f1-a468-d971e7796679
 3status: test
 4description: Detects disabling Windows Defender Tamper Protection
 5references:
 6    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
 7author: Austin Songer @austinsonger
 8date: 2021-08-04
 9modified: 2023-08-17
10tags:
11    - attack.defense-evasion
12    - attack.t1562.001
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'
19        Details: DWORD (0x00000000)
20    filter_msmpeng_client: # only disabled temporarily during updates
21        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
22        Image|endswith: '\MsMpEng.exe'
23    filter_msmpeng_domain_controller: # only disabled temporarily during updates
24        Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
25    condition: selection and not 1 of filter_*
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top