Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.
|Technique||Tactic||Level of Coverage|
|Indicator Blocking||Defense Evasion||Moderate|
Windows Event code 7036 from the System log identifies if a service has stopped or started. This analytic looks for “Windows Defender” or “Windows Firewall” that has stopped.
log_name == "System" AND event_code == "7036" param1 in ["Windows Defender", "Windows Firewall"] AND param2 == "stopped"
Test Case 1:
- Configurations: Windows 7
- Requirements: Administrator account, Powershell
- Description: from an administrative user powershell console, run the Stop-Service command
Stop-Service -displayname "Windows Firewall" Stop-Service -displayname "Windows Defender"
Stopping services events are Windows Event Code 7036.
Data Model References