Skip to main content
Splunk Lantern

Windows Defender status disabled or changed

 

Windows Defender status is logged to the application folder in Windows Event Viewer. You want to search for event codes that indicate when Defender real-time monitoring has been turned off or changed in the way that the REvil ransomware typically works. You can search using either application or operational logs, depending on what you send to your Splunk deployment.

Procedure

Option 1 - Using Application Logs

Run the following search. You can optimize it by specifying an index and adjusting the time range.

source="WinEventLog:Application" EventCode=15 Message="Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_SNOOZED."
| table _time host Message

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
source="WinEventLog:Application"  Search only Windows Application logs.
EventCode=15 Message="Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_SNOOZED." Search for Event Code 15 and the message in the search, which indicates when Defender real-time monitoring status has been set to snoozed.
| table _time host Message Display the results in a table with columns in the order shown.

Result

Just because you see these events does not mean you have been infected, but it does indicate that Defender real-time was turned off. You should run other searches to corroborate your results in this search.

If any of your results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

Option 2 - Using Operational Logs

Run the following search. You can optimize it by specifying an index and adjusting the time range.

source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" EventCode IN (5001, 5004, 5007)
| table _time host Message

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
source="WinEventLog:Microsoft-Windows-Windows Defender/Operational" Search only Windows Defender operational logs.
EventCode IN (5001, 5004, 5007)

Search for Event Codes:

  • 5001 (Windows Defender has been enabled)
  • 5004 (Windows Defender has been disabled)
  • 5007 (Windows Defender configurations have changed)
| table _time host Message Display the results in a table with columns in the order shown.

Next steps

Just because you see these events does not mean you have been infected, but it does indicate that Defender real-time was turned off. You should run other searches to corroborate your results in this search.

If any of your results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

Finally, you might be interested in other processes associated with the Detecting REvil ransomware infections use case.