Techniques
Sample rules
Windows Defender Threat Detection Service Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects when the “Windows Defender Threat Protection” service is disabled.
Detection logic
condition: selection
selection:
EventID: 7036
Provider_Name: Service Control Manager
param1:
- Windows Defender Antivirus Service
- Service antivirus Microsoft Defender
param2:
- stopped
- "arr\xEAt\xE9"