Detectionhighstable

Windows Defender Virus Scanning Feature Disabled

Detects disabling of the Windows Defender virus scanning feature

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ján Trenčanský, François HubautCreated Tue Jul 28Updated Wed Nov 22686c0b4b-9dd3-4847-9077-d6c1bbe36fcbwindows

Log Source

Windowswindefend

ProductWindows← raw: windows

Servicewindefend← raw: windefend

Detection Logic

detection:
    selection:
        EventID: 5012 # Scanning for viruses is disabled.
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

craigclouditpro.wordpress.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

Similar

fe34868f-6e0e-4882-81f6-c43aa8f15b62

Rule not found

Rule Metadata

Rule ID

686c0b4b-9dd3-4847-9077-d6c1bbe36fcb

Status

stable

Level

high

Type

Detection

Created

Tue Jul 28

Modified

Wed Nov 22

Author

Ján Trenčanský, François Hubaut

Path

rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub