Detection rules › Sigma
Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 12 | RegistryEvent (Object create and delete) |
| Sysmon | 13 | RegistryEvent (Value Set) |
| Sysmon | 14 | RegistryEvent (Key and Value Rename) |
Stages and Predicates
Stage 1: selection
Details: ['DWORD (0x00000006)', 'DWORD (0x00000009)']
or:
TargetObject|endswith: '\1'
TargetObject|endswith: '\2'
TargetObject|endswith: '\4'
TargetObject|endswith: '\5'
TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | eq |
|
TargetObject | ends_with |
|
TargetObject | match |
|