Event ID 5007 — Product Name Configuration has changed.
Description
Product Name Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Message #
Fields #
| Name | Description |
|---|---|
Product Name UnicodeString | — |
Product Version UnicodeString | — |
Old Value UnicodeString | — |
New Value UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Windows Defender",
"guid": "11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78",
"event_source_name": "",
"event_id": 5007,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:45.697776+00:00",
"event_record_id": 113,
"correlation": {},
"execution": {
"process_id": 3944,
"thread_id": 4488
},
"channel": "Microsoft-Windows-Windows Defender/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Product Name": "Microsoft Defender Antivirus",
"Product Version": "4.18.23090.2008",
"Old Value": "Default\\IsServiceRunning = 0x0",
"New Value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\IsServiceRunning = 0x1"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Windows Defender Exclusions Added source medium: Detects the Setting of Windows Defender Exclusions
- Windows Defender Exploit Guard Tamper source high: Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
- Windows Defender Submit Sample Feature Disabled source low: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Show 1 more (4 total)
- Windows Defender Configuration Changes source high: Detects suspicious changes to the Windows Defender configuration
Splunk # view in reference
- Windows Defender ASR Registry Modification source: The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.
- Windows Defender ASR Rule Disabled source: The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- RULER Project https://ruler-project.github.io/ruler-project/RULER/av/Microsoft%20Defender/