Microsoft Defender Tamper Protection Trigger

title: Microsoft Defender Tamper Protection Trigger
id: 49e5bc24-8b86-49f1-b743-535f332c2856
status: stable
description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
references:
    - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
author: Bhabesh Raj, Nasreddine Bencherchali
date: 2021-07-05
modified: 2022-12-06
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
        Value|endswith:
            - '\Windows Defender\DisableAntiSpyware'
            - '\Windows Defender\DisableAntiVirus'
            - '\Windows Defender\Scan\DisableArchiveScanning'
            - '\Windows Defender\Scan\DisableScanningNetworkFiles'
            - '\Real-Time Protection\DisableRealtimeMonitoring'
            - '\Real-Time Protection\DisableBehaviorMonitoring'
            - '\Real-Time Protection\DisableIOAVProtection'
            - '\Real-Time Protection\DisableScriptScanning'
    condition: selection
falsepositives:
    - Administrator might try to disable defender features during testing (must be investigated)
level: high