Techniques
Sample rules
Windows Defender Threat Detection Service Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects when the “Windows Defender Threat Protection” service is disabled.
Detection logic
condition: selection
selection:
EventID: 7036
Provider_Name: Service Control Manager
param1:
- Windows Defender Antivirus Service
- Service antivirus Microsoft Defender
param2:
- stopped
- "arr\xEAt\xE9"
Windows Defender Exclusions Added
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the Setting of Windows Defender Exclusions
Detection logic
condition: selection
selection:
EventID: 5007
NewValue|contains: \Microsoft\Windows Defender\Exclusions
Scripted Diagnostics Turn Off Check Enabled - Registry
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: \Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck
Windows Defender Exclusions Added - Registry
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the Setting of Windows Defender Exclusions
Detection logic
condition: selection2
selection2:
TargetObject|contains: \Microsoft\Windows Defender\Exclusions
Windows Defender Service Disabled - Registry
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
Detection logic
condition: selection
selection:
Details: DWORD (0x00000004)
TargetObject|endswith: \Services\WinDefend\Start