This note documents detection patterns related to Defender Tampering within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects tampering commands and helper binaries. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for tampering chains. |
| Security | 5007 | Defender configuration changed | Critical | Primary Defender tamper signal. |
| Sysmon | 13 | Registry value set | Critical | Defender registry exclusions and disablement. |
| PowerShell | 4104 | Script block logging | Critical | Set-MpPreference and exclusion commands. |
| Sysmon | 11 | File create | Medium | Payload appears immediately after protection change. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Exclusions added | Path / extension / process exclusions | Critical | Core tampering primitive. |
| Real-time protection disabled | Silent protection drop | Critical | High-confidence signal. |
| Defender service untouched but config altered | Stealthier tamper | Critical | Common operator method. |
| Payload appears after exclusion | Strong attack sequence | Critical | High-confidence correlation. |
| PowerShell uses Set-MpPreference | Core tamper method | Critical | Very strong indicator. |
| Registry edits under Defender keys | Manual tampering | High | Valuable artifact |
Common Tools
| Tool | Usage |
|---|---|
| PowerShell | Set-MpPreference |
| reg.exe | Defender registry changes |
| MpCmdRun.exe | Defender manipulation |
| custom loaders | Exclusion staging |
Relevant Artifacts
- Security Event IDs 4688, 5007
- Sysmon Event IDs 1, 13, 11
- PowerShell 4104
- Registry paths:
HKLM\SOFTWARE\Microsoft\Windows Defender
- Exclusion values
- Prefetch:
POWERSHELL.EXEREG.EXE
MITRE ATT&CK References
- T1562.001 Impair Defenses
Decision Tree
-
Which tamper method?
- PowerShell
- Registry
- Defender CLI
-
Which setting changed?
- Exclusion
- Realtime protection
- Monitoring
-
Payload follows?
- Drop
- Injection
- Loader
-
Cleanup observed?
- Re-enable later
- Temporary exclusion
-
Expand:
- AMSI bypass
- ETW tampering
- Payload source
-
Scope:
- Single host
- Repeated admin abuse
- Campaign pattern
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5007
| project TimeGenerated, Computer, EventData
PowerShell
| where EventID == 4104
| where ScriptBlockText has "Set-MpPreference"
| project TimeGenerated, Computer, ScriptBlockText
EQL
process where process.command_line like "*Set-MpPreference*"
sequence by host.name with maxspan=5m
[ any where event.code == "5007" ]
[ process where process.name in ("powershell.exe","reg.exe") ]
Sigma
title: Defender Tampering Detection
id: 7b1d4c13-defender-tamper
status: experimental
description: Detects Microsoft Defender tampering activity
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: powershell
detection:
selection:
ScriptBlockText|contains: 'Set-MpPreference'
condition: selection
fields:
- ScriptBlockText
falsepositives:
- Legitimate administration
level: high
tags:
- attack.defense_evasion
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on 5007 | Primary tamper signal | Critical | Core visibility |
| Preserve 4104 | Strong PowerShell evidence | Critical | High-value |
| Watch exclusions | Low false positives | Critical | Strong signal |
| Correlate payload after tamper | High-confidence chain | Critical | Powerful triage |
| Restrict Defender config rights | Reduce abuse | High | Prevent tampering |