From b764153d4f1ba98bb2c8a9a51afbda53e7c2a153 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 23 Nov 2021 08:16:10 +0100
Subject: [PATCH] Update detection

---
 .../windows/other/win_system_defender_disabled.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/rules/windows/other/win_system_defender_disabled.yml b/rules/windows/other/win_system_defender_disabled.yml
index 1d4838ea0..6ce32b306 100644
--- a/rules/windows/other/win_system_defender_disabled.yml
+++ b/rules/windows/other/win_system_defender_disabled.yml
@@ -5,7 +5,7 @@ related:
       type: derived
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2021/11/09
+modified: 2021/11/22
 author: Ján Trenčanský, frack113
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@@ -19,12 +19,14 @@ logsource:
     product: windows
     service: system
 detection:
-    selection3:
+    Selection:
         EventID: 7036
-    keywords:
-        - 'Windows Defender Antivirus Service'
-        - 'stopped'
-    condition: selection3 and all of keywords
+        Provider_Name: 'Service Control Manager'
+        param1: 
+            - 'Windows Defender Antivirus Service'
+            - 'Service antivirus Microsoft Defender' #French OS
+        param2: 'stopped'
+    condition: Selection
 falsepositives:
     - Administrator actions
 level: high
\ No newline at end of file