Disable Tamper Protection on Windows Defender
Detects disabling Windows Defender Tamper Protection
Sigma rule (View on GitHub)
1title: Disable Tamper Protection on Windows Defender
2id: 93d298a1-d28f-47f1-a468-d971e7796679
3status: experimental
4description: Detects disabling Windows Defender Tamper Protection
5references:
6 - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
7author: Austin Songer @austinsonger
8date: 2021/08/04
9modified: 2023/08/17
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection:
18 TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'
19 Details: DWORD (0x00000000)
20 filter_msmpeng_client: # only disabled temporarily during updates
21 Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
22 Image|endswith: '\MsMpEng.exe'
23 filter_msmpeng_domain_controller: # only disabled temporarily during updates
24 Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
25 condition: selection and not 1 of filter_*
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- Disable Exploit Guard Network Protection on Windows Defender
- Disable PUA Protection on Windows Defender
- Disable Privacy Settings Experience in Registry
- Disable Windows Defender Functionalities Via Registry Keys
- Disabled Windows Defender Eventlog