Detection rules › Sigma
Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562.001 Impair Defenses: Disable or Modify Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Windows-Defender | 5013 |
Stages and Predicates
Stage 1: selection
or:
Value|endswith: '\Real-Time Protection\DisableBehaviorMonitoring'
Value|endswith: '\Real-Time Protection\DisableIOAVProtection'
Value|endswith: '\Real-Time Protection\DisableRealtimeMonitoring'
Value|endswith: '\Real-Time Protection\DisableScriptScanning'
Value|endswith: '\Windows Defender\DisableAntiSpyware'
Value|endswith: '\Windows Defender\DisableAntiVirus'
Value|endswith: '\Windows Defender\Scan\DisableArchiveScanning'
Value|endswith: '\Windows Defender\Scan\DisableScanningNetworkFiles'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Value | ends_with |
|