Disable Tamper Protection on Windows Defender

Severity: medium
Author: Austin Songer @austinsonger
Source: upstream

Detects disabling Windows Defender Tamper Protection

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.001` Impair Defenses: Disable or Modify Tools

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

Details: 'DWORD (0x00000000)'
TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'

Stage 2: `not 1 of filter_*`

or:
Image|endswith: '\MsMpEng.exe'
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	eq	`DWORD (0x00000000)` corpus 38 (sigma 38)
`Image`	ends_with	`\MsMpEng.exe` corpus 13 (sigma 13)
`Image`	eq	`C:\Program Files\Windows Defender\MsMpEng.exe` corpus 2 (sigma 2)
`Image`	starts_with	`C:\ProgramData\Microsoft\Windows Defender\Platform\` corpus 7 (sigma 7)
`TargetObject`	match	`\Microsoft\Windows Defender\Features\TamperProtection`