This was simple detection where Microsoft Defender services were blocked and events were observed. Detection queries for the same are present at the end.

Windows Defender alerts you when spyware or potentially unwanted software attempts to install itself or to run on your computer.

Microsoft SpyNet is the online community that helps you decide the actions to respond to the spyware.

When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats.

If Spynet Reporting is disabled for Microsoft Windows Defender the following event is captured by Sysmon Event ID 13.

If Real Time Monitoring is disabled for Microsoft Windows Defender the following event is captured by Sysmon Event ID 13. After this Windows Defender will not prompt users to take actions on malware detections.

If the attacker also disables the Submission of malicious files to Microsoft another event ID is captured and can bode detected easily.

Detection Queries

Image IS *.exe AND TargetObject IS “HKLM\Software\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent” AND Details IS “DWORD (0x00000000)

Image IS *.exe AND TargetObject IS “HKLM\Software\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring AND Details IS “DWORD (0x00000001)

Image IS *.exe AND TargetObject IS “HKLM\Software\Microsoft\Windows Defender\Spynet\SpyNetReporting” AND Details IS “DWORD (0x00000000)