Detection rules › Splunk
Windows Defender ASR Rule Disabled
The following analytic identifies when a Windows Defender ASR rule disabled events. ASR is a feature of Windows Defender Exploit Guard that prevents actions and apps that are typically used by exploit-seeking malware to infect machines. ASR rules are applied to processes and applications. When a process or application attempts to perform an action that is blocked by an ASR rule, an event is generated. This detection searches for ASR rule disabled events that are generated when an ASR rule is disabled.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Windows-Defender | 5007 |
Stages and Predicates
Stage 1: search
search EventCode=5007
Stage 2: rex
rex field=New_Value ...
Stage 3: rex
rex field=Old_Value ...
Stage 4: rex
rex field=New_Value ...
Stage 5: eval
eval ...
Stage 6: eval
eval ...
Stage 7: search
search New_Registry_Value="Disabled"
Stage 8: stats
stats BY host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID
Stage 9: lookup
lookup <lookup> ASR_ID, ASR_Rule, ID
Stage 10: search
search
Stage 11: search
search
Stage 12: rename
rename
Stage 13: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
New_Registry_Value | eq |
|