Files
hayabusa/rules/sigma/other/win_defender_tamper_protection_trigger.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235)
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

30 lines
782 B
YAML

title: Microsoft Defender Tamper Protection Trigger
author: Bhabesh Raj
date: 2021/07/05
description: Detects block of attempt to disable real time protection of Microsoft
Defender by tamper protection
detection:
SELECTION_1:
EventID: 5013
SELECTION_2:
Value:
- '*\Windows Defender\DisableAntiSpyware = 0x1()'
- '*\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
condition: ((SELECTION_1) and SELECTION_2)
falsepositives:
- Administrator actions
id: 49e5bc24-8b86-49f1-b743-535f332c2856
level: critical
logsource:
product: windows
service: windefend
references:
- https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
status: stable
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
ruletype: SIGMA