← Library
sigmaDRL-1.1from SigmaHQ/sigma

Windows Defender Threat Severity Default Action Modified

Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1562.001
Rule sourcerules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml
title: Windows Defender Threat Severity Default Action Modified
id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
related:
    - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
      type: similar
status: experimental
description: |
    Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
    allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
references:
    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
        TargetObject|endswith:
            - '\1' # Low severity
            - '\2' # Moderate severity
            - '\4' # High severity
            - '\5' # Severe severity
        Details:
            - 'DWORD (0x00000006)' # Allow
            - 'DWORD (0x00000009)' # NoAction
    condition: selection
falsepositives:
    - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
    - Software installations that legitimately modify Defender settings (less common for these specific keys).
level: high