Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.

ATT&CK Detection

Technique Tactic Level of Coverage
Indicator Blocking Defense Evasion Moderate

Pseudocode

Windows Event code 7036 from the System log identifies if a service has stopped or started. This analytic looks for “Windows Defender” or “Windows Firewall” that has stopped.

log_name == "System" AND
event_code == "7036"
param1 in ["Windows Defender", "Windows Firewall"] AND
param2 == "stopped"

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Requirements: Administrator account, Powershell
  • Description: from an administrative user powershell console, run the Stop-Service command
  • Commands:
    Stop-Service -displayname "Windows Firewall"
    Stop-Service -displayname "Windows Defender"
    

Additional Notes:

Stopping services events are Windows Event Code 7036.

Data Model References

Object Action Field
service stop name