Detectionhightest

Disabled Windows Defender Eventlog

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Mon Jul 04Updated Thu Aug 17fcddca7c-b9c0-4ddf-98da-e1e2d18b0157windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
        Details: 'DWORD (0x00000000)'
    condition: selection

False Positives

Other Antivirus software installations could cause Windows to disable that eventlog (unknown)

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Rule Metadata

Rule ID

fcddca7c-b9c0-4ddf-98da-e1e2d18b0157

Status

test

Level

high

Type

Detection

Created

Mon Jul 04

Modified

Thu Aug 17

Author

Florian Roth (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub