Techniques
Sample rules
Windows Defender Threat Severity Default Action Modified
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects modifications or creations of Windows Defender’s default threat action settings based on severity to ‘allow’ or take ’no action’. This is a highly suspicious configuration change that effectively disables Defender’s ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
Detection logic
condition: selection
selection:
Details:
- DWORD (0x00000006)
- DWORD (0x00000009)
TargetObject|contains: \Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\
TargetObject|endswith:
- \1
- \2
- \4
- \5