Windows Defender Configuration Changes
Detects suspicious changes to the Windows Defender configuration
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains:
# TODO: Add more suspicious values
- '\Windows Defender\DisableAntiSpyware '
# - '\Windows Defender\Features\TamperProtection ' # Might produce FP
- '\Windows Defender\Scan\DisableRemovableDriveScanning '
- '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan '
- '\Windows Defender\SpyNet\DisableBlockAtFirstSeen '
- '\Real-Time Protection\SpyNetReporting '
# Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
# Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886
condition: selectionAdministrator activity (must be investigated)
Tactics
Sub-techniques
Windows Defender Exclusions Added
Detects the Setting of Windows Defender Exclusions
Detects similar activity. Both rules may fire on overlapping events.
Windows Defender Exploit Guard Tamper
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Detects similar activity. Both rules may fire on overlapping events.
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Detects similar activity. Both rules may fire on overlapping events.