Sigma rules for CVE-2016-2077
52 rules · scoped to cve · back to CVE-2016-2077
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Windows Defender Configuration Changes
id: 801bd44f-ceed-4eb6-887c-11544633c0aa
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: similar
- id: a3ab73f1-bd46-4319-8f06-4b20d0617886
type: similar
- id: 91903aba-1088-42ee-b680-d6d94fe002b0
type: similar
status: stable
description: Detects suspicious changes to the Windows Defender configuration
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-06
modified: 2023-11-24
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains:
# TODO: Add more suspicious values
- '\Windows Defender\DisableAntiSpyware '
# - '\Windows Defender\Features\TamperProtection ' # Might produce FP
- '\Windows Defender\Scan\DisableRemovableDriveScanning '
- '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan '
- '\Windows Defender\SpyNet\DisableBlockAtFirstSeen '
- '\Real-Time Protection\SpyNetReporting '
# Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
# Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886
condition: selection
falsepositives:
- Administrator activity (must be investigated)
level: high
title: Windows Defender Grace Period Expired
id: 360a1340-398a-46b6-8d06-99b905dc69d2
related:
- id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
type: obsolete
status: stable
description: |
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
author: Ján Trenčanský, frack113
date: 2020-07-28
modified: 2023-11-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5101 # The antimalware platform is expired.
condition: selection
falsepositives:
- Unknown
level: high