Windows Defender Threat Detection Service Disabled

Original Source: [Sigma source]
Title: Windows Defender Threat Detection Service Disabled
Status: stable
Description:Detects when the "Windows Defender Threat Protection" service is disabled.
References:
  -https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
   -https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 Author: Ján Trenčanský, frack113
Date: 2020-07-28
modified:2024-07-02
Tags:
  • -'attack.defense-impairment'
  • -'attack.t1685'
Logsource:
  • product: windows
  • service: system
Detection:
  selection:
    EventID: '7036'
    Provider_Name: 'Service Control Manager'
    param1:
      -'Windows Defender Antivirus Service'
      -'Service antivirus Microsoft Defender'

    param2:
      -'stopped'
      -'arrêté'

  condition:selection
Falsepositives:
  -Administrator actions
  -Auto updates of Windows Defender causes restarts
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.