From 3bc6532049436b1d4a43f0f07ef586a01479e216 Mon Sep 17 00:00:00 2001
From: Bhabesh Rai <brs@logpoint.com>
Date: Mon, 5 Jul 2021 20:30:07 +0545
Subject: [PATCH] Added and updated Defender's tamper related rules

---
 rules/windows/other/win_defender_disabled.yml | 11 +++++++-
 ...win_defender_tamper_protection_trigger.yml | 26 +++++++++++++++++++
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 rules/windows/other/win_defender_tamper_protection_trigger.yml

diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml
index 6b0a4d4e3..0dfd079c7 100644
--- a/rules/windows/other/win_defender_disabled.yml
+++ b/rules/windows/other/win_defender_disabled.yml
@@ -3,7 +3,7 @@ title: Windows Defender Threat Detection Disabled
 id: fe34868f-6e0e-4882-81f6-c43aa8f15b62
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2021/06/07
+modified: 2021/07/05
 author: Ján Trenčanský, frack113
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
@@ -44,3 +44,12 @@ detection:
         TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware'
         Details: 'DWORD (0x00000001)'
     condition: tamper_registry
+---
+logsource:
+    product: windows
+    category: system
+detection:
+    selection3:
+        EventID: 7036
+        Message: 'The Windows Defender Antivirus Service service entered the stopped state'
+    condition: selection3
\ No newline at end of file
diff --git a/rules/windows/other/win_defender_tamper_protection_trigger.yml b/rules/windows/other/win_defender_tamper_protection_trigger.yml
new file mode 100644
index 000000000..0eeb90cc1
--- /dev/null
+++ b/rules/windows/other/win_defender_tamper_protection_trigger.yml
@@ -0,0 +1,26 @@
+title: Microsoft Defender Tamper Protection Trigger
+id: 49e5bc24-8b86-49f1-b743-535f332c2856
+description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection
+date: 2021/07/05
+author: Bhabesh Raj
+references:
+    - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
+status: stable
+tags:
+    - attack.defense_evasion
+    - attack.t1089           # an old one
+    - attack.t1562.001
+falsepositives:
+    - Administrator actions
+level: critical
+logsource:
+    product: windows
+    service: windefend
+detection:
+    selection:
+        EventID:
+            - 5013
+        Value|endswith:
+            - '\Windows Defender\DisableAntiSpyware = 0x1()'
+            - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
+    condition: selection
\ No newline at end of file