title: Windows Defender Threat Detection Disabled
author: Ján Trenčanský, frack113
date: 2020/07/28
description: Detects disabling Windows Defender threat protection
detection:
  SELECTION_1:
    EventID: 7036
  SELECTION_2:
  - Windows Defender Antivirus Service
  SELECTION_3:
  - stopped
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Administrator actions
id: 6c0a7755-6d31-44fa-80e1-133e57752680
level: high
logsource:
  product: windows
  service: system
modified: 2021/11/09
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
related:
- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
  type: derived
status: stable
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001