Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Windows Defender Threat Severity Default Action Modified

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Windows Defender Threat Severity Default Action Modified

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Windows Defender Threat Severity Default Action Modified
id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
related:
    - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
      type: similar
status: experimental
description: |
    Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
    allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
references:
    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
        TargetObject|endswith:
            - '\1' # Low severity
            - '\2' # Moderate severity
            - '\4' # High severity
            - '\5' # Severe severity
        Details:
            - 'DWORD (0x00000006)' # Allow
            - 'DWORD (0x00000009)' # NoAction
    condition: selection
falsepositives:
    - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
    - Software installations that legitimately modify Defender settings (less common for these specific keys).
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml