Event ID 1116 — Product Name has detected malware or other potentially unwanted software.

Provider: Microsoft-Windows-Windows Defender
Channel: Operational
Level: Warning
Collection Priority: Recommended (Microsoft-Defender, others)

Description

Product Name has detected malware or other potentially unwanted software.

Message #

%1 has detected malware or other potentially unwanted software.
 For more information please see the following:
%13
 	Name: %8
 	ID: %7
 	Severity: %10
 	Category: %12
 	Path: %22
 	Detection Origin: %24
 	Detection Type: %28
 	Detection Source: %18
 	User: %20
 	Process Name: %19
 	Security intelligence Version: %41
 	Engine Version: %42

Fields #

Name	Description
`Product Name` UnicodeString	—
`Product Version` UnicodeString	—
`Detection ID` UnicodeString	—
`Detection Time` UnicodeString	—
`Unused` UnicodeString	—
`Unused2` UnicodeString	—
`Threat ID` UnicodeString	—
`Threat Name` UnicodeString	—
`Severity ID` UnicodeString	—
`Severity Name` UnicodeString	—
`Category ID` UnicodeString	—
`Category Name` UnicodeString	—
`FWLink` UnicodeString	—
`Status Code` UnicodeString	—
`Status Description` UnicodeString	—
`State` UnicodeString	—
`Source ID` UnicodeString	—
`Source Name` UnicodeString	—
`Process Name` UnicodeString	—
`Detection User` UnicodeString	—
`Unused3` UnicodeString	—
`Path` UnicodeString	—
`Origin ID` UnicodeString	—
`Origin Name` UnicodeString	—
`Execution ID` UnicodeString	—
`Execution Name` UnicodeString	—
`Type ID` UnicodeString	—
`Type Name` UnicodeString	—
`Pre Execution Status` UnicodeString	—
`Action ID` UnicodeString	—
`Action Name` UnicodeString	—
`Unused4` UnicodeString	—
`Error Code` UnicodeString	—
`Error Description` UnicodeString	—
`Unused5` UnicodeString	—
`Post Clean Status` UnicodeString	—
`Additional Actions ID` UnicodeString	—
`Additional Actions String` UnicodeString	—
`Remediation User` UnicodeString	—
`Unused6` UnicodeString	—
`Signature Version`	—
`Engine Version` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Windows Defender",
    "guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
    "event_source_name": "",
    "event_id": 1116,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2019-07-18T20:51:50.798995+00:00",
    "event_record_id": 102,
    "correlation": {
      "ActivityID": "40013F0F-EF76-4940-A8B2-4DE50BE9AAC3"
    },
    "execution": {
      "process_id": 6024,
      "thread_id": 6068
    },
    "channel": "Microsoft-Windows-Windows Defender/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Product Name": "%%827",
    "Product Version": "4.18.1906.3",
    "Detection ID": "{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}",
    "Detection Time": "2019-07-18T20:40:16.697Z",
    "Unused": "",
    "Unused2": "",
    "Threat ID": "2147708292",
    "Threat Name": "HackTool:JS/Jsprat",
    "Severity ID": "4",
    "Severity Name": "High",
    "Category ID": "34",
    "Category Name": "Tool",
    "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:JS/Jsprat&threatid=2147708292&enterprise=0",
    "Status Code": "1",
    "Status Description": "",
    "State": "1",
    "Source ID": "3",
    "Source Name": "%%818",
    "Process Name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Detection User": "MSEDGEWIN10\\IEUser",
    "Unused3": "",
    "Path": "containerfile:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp; file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0005); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0037); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0045); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0065); file:_C:\\AtomicRedTeam\\atomic-red-team-master\\atomics\\T1100\\shells\\b.jsp->(SCRIPT0068)",
    "Origin ID": "1",
    "Origin Name": "%%845",
    "Execution ID": "1",
    "Execution Name": "%%813",
    "Type ID": "8",
    "Type Name": "%%862",
    "Pre Execution Status": "0",
    "Action ID": "9",
    "Action Name": "%%887",
    "Unused4": "",
    "Error Code": "0x00000000",
    "Error Description": "The operation completed successfully. ",
    "Unused5": "",
    "Post Clean Status": "0",
    "Additional Actions ID": "0",
    "Additional Actions String": "No additional actions required",
    "Remediation User": "",
    "Unused6": "",
    "Signature Version": "AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0",
    "Engine Version": "AM: 1.1.16100.4, NIS: 0.0.0.0"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Windows Defender AMSI Trigger Detected source high: Detects triggering of AMSI by Windows Defender.

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/

Event ID 1116 — Product Name has detected malware or other potentially unwanted software.

Description

Message #

Fields #

Example Event #

Detection Rules #

Sigma # view in reference

Related Events #

References #