Disable Tamper Protection on Windows Defender
Detects disabling Windows Defender Tamper Protection
Sigma rule (View on GitHub)
1title: Disable Tamper Protection on Windows Defender
2id: 93d298a1-d28f-47f1-a468-d971e7796679
3status: experimental
4description: Detects disabling Windows Defender Tamper Protection
5references:
6 - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
7author: Austin Songer @austinsonger
8date: 2021/08/04
9modified: 2023/08/17
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'
19 Details: DWORD (0x00000000)
20 filter_msmpeng_client: # only disabled temporarily during updates
21 Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
22 Image|endswith: '\MsMpEng.exe'
23 filter_msmpeng_domain_controller: # only disabled temporarily during updates
24 Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
25 condition: selection and not 1 of filter_*
26falsepositives:
27 - Unknown
28level: medium
References
-
How to Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 10 Starting with Windows 10 version 2004, Windows Defender Antivirus as been renamed to Microsoft Defender Antivi...
Read More
Related rules
- Disable Exploit Guard Network Protection on Windows Defender
- Disable PUA Protection on Windows Defender
- Disable Privacy Settings Experience in Registry
- Disable Windows Defender Functionalities Via Registry Keys
- Disabled Windows Defender Eventlog