Windows Defender Threat Severity Default Action Modified

Rule Info

Name
Windows Defender Threat Severity Default Action Modified
Author
Matt Anderson (Huntress)
Description
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
Reference
https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
Date
2025-07-11 00:00:00
Modified
None
Id
5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
Tags
attack.defense-impairment attack.t1685
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Matt Anderson
Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion
2025-07-28
af492dc0f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022