Where the ransomware encryptor started to disable additional protection in Windows Defender. Source: Īnother example was during the Kaseya ransomware attack. This can be done by simply disabling AV or create exclusions, and so on.ĭuring the Sodinokibi ransomware attack, the threat actors created a GPO and rolled it out across all the systems to disable Windows Defender AV. We have seen in many ransomware attacks that adversaries tend to work their way around Windows Defender AV. This can be done with other solutions as well, so don’t feel the need to only use Azure Sentinel, when you can use other solutions as well. Once we have done that, we will show some examples with Azure Sentinel, which we will be used to create the custom alerts.
We will start with showing real cases of adversaries working their way around Windows Defender. In this blog post, we are going to explain why it is relevant to keep an eye on your Windows Defender AV logs, and how to use the data telemetry to create custom alerts. Windows Defender is the traditional out of the box antivirus for a Windows machine. Not to confuse with the EDR solution that’s called ”Defender for Endpoint”. Today we are going to talk about our good old friend or better known as Windows Defender AV.