Detectionhighstable

Windows Defender Malware And PUA Scanning Disabled

Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ján Trenčanský, François HubautCreated Tue Jul 28Updated Wed Nov 22bc275be9-0bec-4d77-8c8f-281a2df6710fwindows

Log Source

Windowswindefend

ProductWindows← raw: windows

Servicewindefend← raw: windefend

Detection Logic

detection:
    selection:
        EventID: 5010 # Scanning for malware and other potentially unwanted software is disabled.
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

craigclouditpro.wordpress.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

Similar

fe34868f-6e0e-4882-81f6-c43aa8f15b62

Rule not found

Rule Metadata

Rule ID

bc275be9-0bec-4d77-8c8f-281a2df6710f

Status

stable

Level

high

Type

Detection

Created

Tue Jul 28

Modified

Wed Nov 22

Author

Ján Trenčanský, François Hubaut

Path

rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub