Detectionhighstable

Windows Defender Grace Period Expired

Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ján Trenčanský, François HubautCreated Tue Jul 28Updated Wed Nov 22360a1340-398a-46b6-8d06-99b905dc69d2windows

Log Source

Windowswindefend

ProductWindows← raw: windows

Servicewindefend← raw: windefend

Detection Logic

detection:
    selection:
        EventID: 5101 # The antimalware platform is expired.
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

craigclouditpro.wordpress.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

Similar

fe34868f-6e0e-4882-81f6-c43aa8f15b62

Rule not found

Rule Metadata

Rule ID

360a1340-398a-46b6-8d06-99b905dc69d2

Status

stable

Level

high

Type

Detection

Created

Tue Jul 28

Modified

Wed Nov 22

Author

Ján Trenčanský, François Hubaut

Path

rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub