Microsoft Defender Alerts — Investigation & Response Guide

MITRE ATT&CK

Security Relevance

Defender alerts are often treated as noise by teams that see high false-positive rates from PUA or aggressive scanning. This is the mistake attackers count on. A 1116 event for a Cobalt Strike stager, a Mimikatz variant, or a known ransomware loader is a high-fidelity signal that should immediately trigger incident response — not suppression. The relationship between 1116 (detection) and 1117 (action) is critical: detection without remediation means the threat ran. Defender disablement events (7036, 4657) before a 1116 indicate a sophisticated attacker who prepared the environment before payload execution.

Indicators of Malicious Use

• ⚑Event 1116 with Action Type 'No Action' or 'Allowed' — detection without remediation; the threat executed and may still be running.
• ⚑Event 1116 for known post-exploitation tool names: Mimikatz, CobaltStrike, Meterpreter, PowerShell Empire, BloodHound — indicates active intrusion, not opportunistic malware.
• ⚑Event 7036 showing WinDefend service stopped, with no corresponding restart event (7036 start or 7040) within 60 seconds — deliberate Defender kill.
• ⚑Event 4657 with registry path containing 'Windows Defender' or 'MpEngine' — registry-based Defender configuration tampering (exclusion paths, DisableRealtimeMonitoring).
• ⚑Repeated 1116 detections for the same threat name on the same host — re-infection pattern indicating a persistence mechanism survived remediation.
• ⚑Event 1116 immediately before Event 1102 (audit log cleared) — attacker executed payload, then wiped evidence of what Defender detected.
• ⚑Event 1117 with Action Type 'Quarantine Failed' — Defender attempted to quarantine but could not, usually due to file locking from an actively running process.

Example Log Entry

# Event 1116 — Defender detects post-exploitation tool (action: Allowed)
Log Name: Microsoft-Windows-Windows Defender/Operational
Event ID:  1116
Level:     Warning

Windows Defender Antivirus has detected malware or other potentially unwanted software.

  Name:          HackTool:Win64/Mimikatz.A
  ID:            2147747903
  Severity:      High
  Category:      Tool
  Path:          C:\Users\jsmith\AppData\Local\Temp\m64.exe
  Detection Origin: Local machine
  Detection Type:   Concrete
  Detection Source: Real-Time Protection
  Process Name:  C:\Windows\System32\cmd.exe
  Action:        Allowed                     ← threat ran unchecked

# Event 1117 — Remediation outcome
Log Name: Microsoft-Windows-Windows Defender/Operational
Event ID:  1117

Windows Defender Antivirus has taken action to protect this machine from malware.

  Name:          HackTool:Win64/Mimikatz.A
  Action:        Allowed by User             ← someone explicitly allowed it
  Error Code:    0x00000000

# Event 7036 — Defender service stopped
Log Name: System
Event ID:  7036

The Windows Defender Antivirus Service service entered the stopped state.

Investigation Steps

1. 1.Start with Event 1117's Action Type field — 'Quarantine' or 'Remove' means contained; 'No Action', 'Allowed', or 'Quarantine Failed' means the threat ran. This single field determines whether you have a containment situation or an active incident.
2. 2.Look up the Threat Name from Event 1116 in a public threat intelligence source (Microsoft Security Intelligence, VirusTotal, or Mandiant) — the malware family determines expected behavior: persistence mechanisms, C2 protocols, lateral movement tools, and data staging patterns.
3. 3.Pivot to Event 4688 (process creation) at the same timestamp — search for processes spawned by the same executable path as the detected file. Any child processes indicate the payload had time to run before Defender caught it.
4. 4.Check for Event 7036 (WinDefend stopped) or Event 4657 (Defender registry key changes) in the 60 minutes before the 1116 — if Defender was tampered with before the detection, assume the attacker had a preparation phase and the 1116 is not the start of the incident.
5. 5.Look for Event 4698 (scheduled task created), 7045 (service installed), or 4657 (registry run key) in the 5-minute window around the 1116 timestamp — these indicate the malware established persistence before Defender caught the primary payload.
6. 6.Check if the same Threat Name fires again within 24 hours — re-detection means a persistence mechanism survived. Remediation is incomplete until re-detections stop.
7. 7.If Action Type is 'Allowed by User', find who approved it — check the Subject Account in the event; a non-admin user allowing a HackTool is a policy violation; an admin allowing it during an incident response may be intentional.

Common False Positives

• ◎Security researchers and red team operators running tools in isolated environments — coordinate with your security team's known testing windows.
• ◎Penetration testing engagements — 1116 events for common pentest tools (Mimikatz, BloodHound, CrackMapExec) should correlate with an active engagement authorization.
• ◎Legitimate software flagged as PUA (Potentially Unwanted Application) — dual-use tools like CCleaner, process monitors, and some admin utilities may generate 1116 events; verify the severity is PUA rather than Trojan or HackTool.

Remediation

• ✓Immediately isolate any machine where 1116 fired with Action Type other than 'Quarantine' or 'Remove' — treat it as actively compromised until proven clean.
• ✓Enable Tamper Protection in Defender settings — this prevents registry-based Defender disablement and blocks most script-based disable attempts.
• ✓Alert on Event 7036 for WinDefend stopped — this event should trigger an immediate page, not a daily review.
• ✓Deploy Attack Surface Reduction (ASR) rules in Block mode — these prevent common attack techniques regardless of Defender signature status.
• ✓Review Defender exclusion paths regularly — exclusions are the most common way attackers persist after initial Defender bypass; any exclusion covering a user-writable path should be audited.
• ✓Pair every 1116 investigation with a check for 1102 (audit log cleared) — log clearing after a Defender detection is the clearest sign of an attacker covering tracks.

Related Event IDs

Related Detection Guides

Frequently Asked Questions

How do I tell the difference between a Defender false positive and a real threat using Event 1116?

Check the Category field in Event 1116 — 'HackTool' and 'Trojan' are high-confidence malicious categories with very low false-positive rates. 'PUA' (Potentially Unwanted Application) is the noisy category where legitimate software lives. Check the Detection Path — a detection in AppData\Temp, a user's Downloads folder, or a non-standard path is far more suspicious than one in a known software installation directory. Look up the Threat Name in Microsoft Security Intelligence — the description will tell you whether it's a legitimate dual-use tool or a known malicious family. Finally, check who ran the process (Subject Account in 4688) — a domain admin running a HackTool is a red team or an insider; a standard user running one is almost always malicious.

What does it mean when Defender keeps detecting the same threat repeatedly?

Repeated detections of the same threat name on the same host almost always indicate a persistence mechanism that is re-dropping the malware after Defender quarantines it. Common patterns: a scheduled task or registry run key re-executes a dropper that downloads the malware again; the malware installed a service that respawns on restart; or the primary payload was removed but a secondary implant is re-fetching it. To stop the cycle, find and remove the persistence mechanism first. Check Event 4698 (scheduled tasks), 7045 (services), and 4657 (run keys) around the first detection timestamp. Remove those before running another full scan.

Does Windows Defender log attacks that it missed?

No — Defender only logs what it detected. If malware successfully evaded detection, there is no 1116 event for it. This is why correlating 4688 (process creation), 4104 (PowerShell script blocks), and network events with 1116 is important — the full attack chain may be visible in other logs even when Defender missed it. Defender does log behavioral blocks (Action Type = 'Block') and AMSI detections in separate log channels. For comprehensive coverage, supplement Defender with Process Creation auditing (4688 + command lines), Script Block Logging (4104), and Sysmon.