From ff7fb4e4d226fa2062a305ac3a73d5bb8f8e7b89 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 4 Aug 2021 19:08:10 -0500
Subject: [PATCH] Create
 sysmon_disabled_tamper_protection_on_microsoft_defender.yml

---
 ...amper_protection_on_microsoft_defender.yml | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml

diff --git a/rules/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
new file mode 100644
index 000000000..5b8a2d006
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_disabled_tamper_protection_on_microsoft_defender.yml
@@ -0,0 +1,23 @@
+title: Disable Tamper Protection on Windows Defender
+id: 93d298a1-d28f-47f1-a468-d971e7796679
+description: Detects disabling Windows Defender Tamper Protection
+status: experimental
+date: 2021/08/04
+author: Austin Songer @austinsonger
+references:
+    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection'
+        Details: 'DWORD (0)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium