Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

Windows Defender Threat Severity Default Action Modified

Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Matt Anderson (Huntress)Created Fri Jul 115a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1fwindows
Log Source
WindowsRegistry Event
ProductWindows← raw: windows
CategoryRegistry Event← raw: registry_event

Events for Windows Registry modifications including key creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
        TargetObject|endswith:
            - '\1' # Low severity
            - '\2' # Moderate severity
            - '\4' # High severity
            - '\5' # Severe severity
        Details:
            - 'DWORD (0x00000006)' # Allow
            - 'DWORD (0x00000009)' # NoAction
    condition: selection
False Positives

Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.

Software installations that legitimately modify Defender settings (less common for these specific keys).

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
research.splunk.com
4
Resolving title…
gist.github.com
5
Resolving title…
thedfirreport.com
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'

Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
Status
experimental
Level
high
Type
Detection
Created
Fri Jul 11
Author
Matt Anderson (Huntress)
Path
rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub