sigmahighHunting

Disabled Windows Defender Eventlog

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

MITRE ATT&CK

defense-evasion

Detection Query

selection:
  TargetObject|contains: \Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows
    Defender/Operational\Enabled
  Details: DWORD (0x00000000)
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-07-04

Data Sources

windowsRegistry Set Events

Platforms

windows

References

https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2

Tags

attack.defense-evasionattack.t1562.001

Raw Content

title: Disabled Windows Defender Eventlog
id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
status: test
description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
references:
    - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
author: Florian Roth (Nextron Systems)
date: 2022-07-04
modified: 2023-08-17
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
level: high