Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighstable

Windows Defender Threat Detected

Detects actions taken by Windows Defender malware detection engines

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ján TrenčanskýCreated Tue Jul 2857b649ef-ff42-4fb0-8bf6-62da243a1708windows
Log Source
Windowswindefend
ProductWindows← raw: windows
Servicewindefend← raw: windefend
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID:
            - 1006 # The antimalware engine found malware or other potentially unwanted software.
            - 1015 # The antimalware platform detected suspicious behavior.
            - 1116 # The antimalware platform detected malware or other potentially unwanted software.
            - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
    condition: selection
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
57b649ef-ff42-4fb0-8bf6-62da243a1708
Status
stable
Level
high
Type
Detection
Created
Tue Jul 28
Author
Ján Trenčanský
Path
rules/windows/builtin/windefend/win_defender_threat.yml
Raw Tags
attack.executionattack.t1059
View on GitHub