Detectionlowstable

Windows Defender Submit Sample Feature Disabled

Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Dec 0691903aba-1088-42ee-b680-d6d94fe002b0windows

Log Source

Windowswindefend

ProductWindows← raw: windows

Servicewindefend← raw: windefend

Detection Logic

detection:
    selection:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains: '\Real-Time Protection\SubmitSamplesConsent = 0x0'
    condition: selection

False Positives

Administrator activity (must be investigated)

References

Resolving title…

learn.microsoft.com

Resolving title…

bidouillesecurity.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

SimilarDetectionmedium

Windows Defender Exclusions Added

Detects the Setting of Windows Defender Exclusions

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Windows Defender Exploit Guard Tamper

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Windows Defender Configuration Changes

Detects suspicious changes to the Windows Defender configuration

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

91903aba-1088-42ee-b680-d6d94fe002b0

Status

stable

Level

low

Type

Detection

Created

Tue Dec 06

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub