← Back to Explore
sigmahighHunting
Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
MITRE ATT&CK
Detection Query
selection:
TargetObject|contains: \Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\
TargetObject|endswith:
- \1
- \2
- \4
- \5
Details:
- DWORD (0x00000006)
- DWORD (0x00000009)
condition: selection
Author
Matt Anderson (Huntress)
Created
2025-07-11
Data Sources
windowsRegistry Events
Platforms
windows
References
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
Tags
attack.defense-impairmentattack.t1685
Raw Content
title: Windows Defender Threat Severity Default Action Modified
id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
related:
- id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
type: similar
status: experimental
description: |
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
references:
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
TargetObject|endswith:
- '\1' # Low severity
- '\2' # Moderate severity
- '\4' # High severity
- '\5' # Severe severity
Details:
- 'DWORD (0x00000006)' # Allow
- 'DWORD (0x00000009)' # NoAction
condition: selection
falsepositives:
- Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
- Software installations that legitimately modify Defender settings (less common for these specific keys).
level: high