
Summary
Detects the abuse of SystemSettingsAdminFlows.exe to disable Windows Defender. SystemSettingsAdminFlows.exe is a legitimate Windows component used for administrative configuration, but it can be misused by adversaries to impair Defender as part of ransomware or other malware campaigns. The rule triggers on Windows process_creation events when SystemSettingsAdminFlows.exe is observed (Image ends with \SystemSettingsAdminFlows.exe and OriginalFileName matches SystemSettingsAdminFlows.EXE) and the command line includes Defender-related actions. Specifically, it requires Defender to be referenced in the CLI and one of two completion paths: (a) enabling Defender protections, indicated by CLI containing any of RTP, RealTimeProtection, or DisableEnhancedNotifications with a value of 1; or (b) disabling Defender protections, indicated by CLI containing SubmitSamplesConsent, SpyNetReporting, or DisableCDPUserAuthPolicy with a value of 0. The overall condition enforces that all SystemSettingsAdminFlows signals are present and that either all enable signals or all disable signals are present. The rule is labeled high severity and notes legitimate administrative use as a potential false positive. It is intended to detect Defense Evasion activity (attack.defense-impairment) related to Defender configuration changes (threaded through process_creation telemetry). References discuss LOLBins and Defender manipulation in real-world campaigns; however, detections should be correlated with other endpoint telemetry to reduce false positives.
Categories
- Windows
- Endpoint
Data Sources
- Process
- Image
Created: 2026-07-01