Windows Defender status disabled or changed
Windows Defender status is logged to the application folder in Windows Event Viewer. You want to search for event codes that indicate when Defender real-time monitoring has been turned off or changed in the way that the REvil ransomware typically works. You can search using either application or operational logs, depending on what you send to your Splunk deployment.
Required data
Procedure
Option 1 - Using Application Logs
Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="WinEventLog:Application" EventCode=15 Message="Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_SNOOZED." | table _time host Message
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
| source="WinEventLog:Application" | Search only Windows Application logs. |
| EventCode=15 Message="Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_SNOOZED." | Search for Event Code 15 and the message in the search, which indicates when Defender real-time monitoring status has been set to snoozed. |
| | table _time host Message | Display the results in a table with columns in the order shown. |
Result
Just because you see these events does not mean you have been infected, but it does indicate that Defender real-time was turned off. You should run other searches to corroborate your results in this search.
If any of your results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
Option 2 - Using Operational Logs
Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" EventCode IN (5001, 5004, 5007) | table _time host Message
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
| source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" | Search only Windows Defender operational logs. |
| EventCode IN (5001, 5004, 5007) |
Search for Event Codes:
|
| | table _time host Message | Display the results in a table with columns in the order shown. |
Next steps
Just because you see these events does not mean you have been infected, but it does indicate that Defender real-time was turned off. You should run other searches to corroborate your results in this search.
If any of your results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
Finally, you might be interested in other processes associated with the Detecting REvil ransomware infections use case.