title: Windows Defender Threat Detection Disabled
author: Ján Trenčanský, frack113
date: 2020/07/28
description: Detects disabling Windows Defender threat protection
detection:
  SELECTION_1:
    EventID: 5001
  SELECTION_2:
    EventID: 5010
  SELECTION_3:
    EventID: 5012
  SELECTION_4:
    EventID: 5101
  condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
falsepositives:
- Administrator actions
id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
level: high
logsource:
  product: windows
  service: windefend
modified: 2021/09/21
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: stable
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
ruletype: SIGMA