LoFP / other antivirus software installations could cause windows to disable that eventlog (unknown)

Techniques

• t1562
• t1562.001

Sample rules

Disabled Windows Defender Eventlog

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000000)
  TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
    Defender/Operational\Enabled