Detectionmediumstable
Windows Defender Threat Detection Service Disabled
Detects when the "Windows Defender Threat Protection" service is disabled.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Ján Trenčanský, François HubautCreated Tue Jul 28Updated Tue Jul 026c0a7755-6d31-44fa-80e1-133e57752680windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 7036
Provider_Name: 'Service Control Manager'
# Note: The service name and messages are localized
param1:
- 'Windows Defender Antivirus Service'
- 'Service antivirus Microsoft Defender' # French OS
param2:
- 'stopped'
- 'arrêté' # French OS
condition: selectionFalse Positives
Administrator actions
Auto updates of Windows Defender causes restarts
MITRE ATT&CK
Tactics
Sub-techniques
Related Rules
Derived
Rule not foundfe34868f-6e0e-4882-81f6-c43aa8f15b62
Rule Metadata
Rule ID
6c0a7755-6d31-44fa-80e1-133e57752680
Status
stable
Level
medium
Type
Detection
Created
Tue Jul 28
Modified
Tue Jul 02
Author
Path
rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml
Raw Tags
attack.defense-evasionattack.t1562.001