← Back to SOC feed Coverage →

Windows Defender Service Disabled - Registry

sigma HIGH SigmaHQ
T1685
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-26T11:00:01Z · Confidence: medium

Hunt Hypothesis

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

Detection Rule

Sigma (Original)

title: Windows Defender Service Disabled - Registry
id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
status: test
description: Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry
references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
date: 2022-08-01
modified: 2024-03-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Services\WinDefend\Start'
        Details: 'DWORD (0x00000004)'
    condition: selection
falsepositives:
    - Administrator actions
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Services\\WinDefend\\Start" and RegistryValueData =~ "DWORD (0x00000004)"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Services\\WinDefend\\Start" and RegistryValueData =~ "DWORD (0x00000004)"

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml