Detectionhighstable

Windows Defender Real-time Protection Disabled

Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ján Trenčanský, François HubautCreated Tue Jul 28Updated Wed Nov 22b28e58e4-2a72-4fae-bdee-0fbe904db642windows

Log Source

Windowswindefend

ProductWindows← raw: windows

Servicewindefend← raw: windefend

Detection Logic

detection:
    selection:
        EventID: 5001 # Real-time protection is disabled.
    condition: selection

False Positives

Administrator actions (should be investigated)

Seen being triggered occasionally during Windows 8 Defender Updates

References

craigclouditpro.wordpress.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

Similar

fe34868f-6e0e-4882-81f6-c43aa8f15b62

Rule not found

Rule Metadata

Rule ID

b28e58e4-2a72-4fae-bdee-0fbe904db642

Status

stable

Level

high

Type

Detection

Created

Tue Jul 28

Modified

Wed Nov 22

Author

Ján Trenčanský, François Hubaut

Path

rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub