EXPLORE DETECTIONS
Windows Defender Definition Files Removed
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
Windows Defender Exclusion List Modified
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
Windows Defender Exclusion Registry Key - Write Access Requested
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
Windows Defender Exclusions Added
Detects the Setting of Windows Defender Exclusions
Windows Defender Exclusions Added - PowerShell
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
Windows Defender Exclusions Added - Registry
Detects the Setting of Windows Defender Exclusions
Windows Defender Exploit Guard Tamper
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration
Windows Defender Grace Period Expired
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
Windows Defender Malware And PUA Scanning Disabled
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
Windows Defender Malware Detection History Deletion
Windows Defender logs when the history of detected infections is deleted.
Windows Defender Real-time Protection Disabled
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features
Windows Defender Service Disabled - Registry
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines
Windows Defender Threat Detection Service Disabled
Detects when the "Windows Defender Threat Protection" service is disabled.
Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
Windows Defender Virus Scanning Feature Disabled
Detects disabling of the Windows Defender virus scanning feature
Windows Event Auditing Disabled
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Windows Event Log Access Tampering Via Registry
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
Windows EventLog Autologger Session Registry Modification Via CommandLine
Detects attempts to disable Windows EventLog autologger sessions via registry modification. The AutoLogger event tracing session records events that occur early in the operating system boot process. Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
Windows Filtering Platform Blocked Connection From EDR Agent Binary
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
Windows Firewall Disabled via PowerShell
Detects attempts to disable the Windows Firewall using PowerShell