Windows Defender Threat Severity Default Action Modified (5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f)
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) | Attack Pattern | Windows Defender Threat Severity Default Action Modified (5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f) | Sigma-Rules | 1 |