title: Windows Defender Threat Detection Disabled
id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
description: Detects disabling Windows Defender threat protection
date: 2020/07/28
author: Ján Trenčanský
references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
status: stable
tags:
    - attack.defense_evasion
    - attack.t1089           # an old one
    - attack.t1562.001
logsource:
    product: windows
    service: windefend
detection:
    selection:
        EventID:
            - 5001
            - 5010
            - 5012
            - 5101
    selection2:
        TargetObject:
            - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
            - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
            - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
        Details: 'DWORD (0x00000001)'
    condition: 1 of them
falsepositives:
    - Administrator actions
level: high