administrator might try to disable defender features during testing (must be investigated)

t1562
t1562.001
windows
sigma

Techniques

t1562
t1562.001

Sample rules

Microsoft Defender Tamper Protection Trigger

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects blocked attempts to change any of Defender’s settings such as “Real Time Monitoring” and “Behavior Monitoring”

Detection logic

condition: selection
selection:
  EventID: 5013
  Value|endswith:
  - \Windows Defender\DisableAntiSpyware
  - \Windows Defender\DisableAntiVirus
  - \Windows Defender\Scan\DisableArchiveScanning
  - \Windows Defender\Scan\DisableScanningNetworkFiles
  - \Real-Time Protection\DisableRealtimeMonitoring
  - \Real-Time Protection\DisableBehaviorMonitoring
  - \Real-Time Protection\DisableIOAVProtection
  - \Real-Time Protection\DisableScriptScanning