Windows Defender Disabled Via SystemSettingsAdminFlows.EXE

Original Source: [Sigma source]
Title: Windows Defender Disabled Via SystemSettingsAdminFlows.EXE
Status: experimental
Description:Detects the usage of SystemSettingsAdminFlows.exe to disable Windows Defender. SystemSettingsAdminFlows.exe is a legitimate Windows component used for administrative configuration tasks. However, attackers may abuse it to disable Windows Defender as part of their attack chain, especially in the context of ransomware or other malware campaigns.
References:
  -https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
  -https://www.huntress.com/blog/lolbin-to-inc-ransomware
Author: Chirag Damani (KPMG India), Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2026-07-01
modified:None
Tags:
  • -'attack.defense-impairment'
  • -'attack.t1685'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection_ssaf_img:
Image|endswith:'\SystemSettingsAdminFlows.exe' OriginalFileName:'SystemSettingsAdminFlows.EXE'   selection_ssaf_cli:
    CommandLine|contains: 'defender'
  selection_cli_enable_opt:
    CommandLine|contains:
      -'RTP '
      -'RealTimeProtection '
      -'DisableEnhancedNotifications '

  selection_cli_enable_value:
    CommandLine|contains: '1'
  selection_cli_disable_opt:
    CommandLine|contains:
      -'SubmitSamplesConsent '
      -'SpyNetReporting '
      -'DisableCDPUserAuthPolicy '

  selection_cli_disable_value:
    CommandLine|contains: '0'
  condition:all of selection_ssaf_* and (all of selection_cli_enable_* or all of selection_cli_disable_*)
Falsepositives:
  -Legitimate turn off of Windows Defender by the technical users or administrators for troubleshooting or other purposes.
Level: high