Merge pull request #1628 from d4rk-d4nph3/master

Added and updated Defender's tamper related rules

rules/windows/other/win_defender_disabled.yml

@@ -3,7 +3,7 @@ title: Windows Defender Threat Detection Disabled
 id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2021/06/07
+modified: 2021/07/05
 author: Ján Trenčanský, frack113
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@@ -44,3 +44,12 @@ detection:
         TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware'
         Details: 'DWORD (0x00000001)'
     condition: tamper_registry
+---
+logsource:
+    product: windows
+    category: system
+detection:
+    selection3:
+        EventID: 7036
+        Message: 'The Windows Defender Antivirus Service service entered the stopped state'
+    condition: selection3

rules/windows/other/win_defender_tamper_protection_trigger.yml

@@ -0,0 +1,26 @@
+title: Microsoft Defender Tamper Protection Trigger
+id: 49e5bc24-8b86-49f1-b743-535f332c2856
+description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection
+date: 2021/07/05
+author: Bhabesh Raj
+references:
+    - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
+status: stable
+tags:
+    - attack.defense_evasion
+    - attack.t1089           # an old one
+    - attack.t1562.001
+falsepositives:
+    - Administrator actions
+level: critical
+logsource:
+    product: windows
+    service: windefend
+detection:
+    selection:
+        EventID:
+            - 5013
+        Value|endswith:
+            - '\Windows Defender\DisableAntiSpyware = 0x1()'
+            - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
+    condition: selection