Techniques
Sample rules
Windows Defender Submit Sample Feature Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects disabling of the “Automatic Sample Submission” feature of Windows Defender.
Detection logic
condition: selection
selection:
EventID: 5007
NewValue|contains: \Real-Time Protection\SubmitSamplesConsent = 0x0
Windows Defender Configuration Changes
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects suspicious changes to the Windows Defender configuration
Detection logic
condition: selection
selection:
EventID: 5007
NewValue|contains:
- '\Windows Defender\DisableAntiSpyware '
- '\Windows Defender\Scan\DisableRemovableDriveScanning '
- '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan '
- '\Windows Defender\SpyNet\DisableBlockAtFirstSeen '
- '\Real-Time Protection\SpyNetReporting '