Detectionhighstable
Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Bhabesh Raj, Nasreddine Bencherchali (Nextron Systems)Created Mon Jul 05Updated Tue Dec 0649e5bc24-8b86-49f1-b743-535f332c2856windows
Log Source
Windowswindefend
ProductWindows← raw: windows
Servicewindefend← raw: windefend
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
Value|endswith:
- '\Windows Defender\DisableAntiSpyware'
- '\Windows Defender\DisableAntiVirus'
- '\Windows Defender\Scan\DisableArchiveScanning'
- '\Windows Defender\Scan\DisableScanningNetworkFiles'
- '\Real-Time Protection\DisableRealtimeMonitoring'
- '\Real-Time Protection\DisableBehaviorMonitoring'
- '\Real-Time Protection\DisableIOAVProtection'
- '\Real-Time Protection\DisableScriptScanning'
condition: selectionFalse Positives
Administrator might try to disable defender features during testing (must be investigated)
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
49e5bc24-8b86-49f1-b743-535f332c2856
Status
stable
Level
high
Type
Detection
Created
Mon Jul 05
Modified
Tue Dec 06
Path
rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml
Raw Tags
attack.defense-evasionattack.t1562.001