EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 1116WarningMicrosoft-Windows-Windows Defender/OperationalT1204

Windows Event ID 1116Windows Defender — Malware Detected

Logged when Windows Defender detects a threat — malware, PUA, or suspicious file.

MITRE ATT&CK

Technique

T1204 · User Execution

Tactic

Execution

View on attack.mitre.org →

Why It Matters

A detection means malicious code reached the endpoint. Even if remediated, the detection indicates the attack vector (how it arrived), the specific threat family, and the affected path — all critical for determining scope.

Key Fields

Threat NameThe malware family identified — e.g. Trojan:Win32/Mimikatz, Ransom:Win32/WannaCrypt
Detection PathWhere the malware was found — temporary paths often indicate drive-by; startup paths indicate persistence
ActionWhat Defender did: Quarantine, Remove, Block, or No Action

Investigation Tips

  1. 1.Check the detection path — files in C:\Users\*\AppData, C:\Temp, or C:\Windows\Temp are most common for active attacks.
  2. 2.Correlate with 4688 to see what process dropped or executed the detected file.
  3. 3.If Action is No Action or Allowed, the threat was not remediated — treat as an active compromise.
  4. 4.Check 1117 (Defender action taken) to confirm what happened after detection.

Related Event IDs

1117Defender remediation action taken
4688Process that may have dropped or executed the threat

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 1116

See Event ID 1116 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects windows defender — malware detected patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →