
Summary
This detection rule aims to identify instances where the Windows Defender event log has been disabled, a key behavior often associated with malware such as Lockbit 3.0. The rule specifically targets modifications in the Windows registry that disable operational logging for Windows Defender, an essential component for security monitoring and threat detection. The TruePositive detection criteria are defined with a specific Registry Key path located in the Microsoft Windows registry that is tied to Windows Defender's event logging capabilities. When the value 'Enabled' within the specified registry key is set to 'DWORD (0x00000000)', it indicates that the event log has been turned off. Since disabling Windows Defender can significantly reduce the security posture of a machine by preventing it from logging critical security events, this rule is crucial for maintaining awareness around defensive evasions and may help in threat hunting activities related to malware infections.
Categories
- Windows
- Endpoint
- Infrastructure
Data Sources
- Windows Registry
Created: 2022-07-04