Skip to content

Hide Navigation Hide TOC

Windows Defender Threat Severity Default Action Modified (5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f)

Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Defender Threat Severity Default Action Modified (5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f) Sigma-Rules Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2