Tampering of Windows Defender with Reg

calendar Nov 29, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001  ·
Share on: linkedin copy

Detects use of the reg utility to tamper with MS Defender protections.

Sigma rule (View on GitHub)

 1title: Tampering of Windows Defender with Reg
 2id: ca11521c-5d9c-484f-b83a-14aa12df1201
 3status: experimental
 4description: Detects use of the reg utility to tamper with MS Defender protections.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
 7    - https://www.elevenforum.com/t/enable-or-disable-automatic-sample-submission-for-microsoft-defender-antivirus-in-windows-11.4010/
 8author: Micah Babinski
 9date: 2022/11/26
10tags:
11    - attack.defense_evasion
12    - attack.t1562
13    - attack.t1562.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_base:
19        Image|endswith: '\reg.exe'
20    selection_disable_defender:
21        CommandLine|contains|all:
22            - 'delete'
23            - '\Software\Policies\Microsoft\Windows Defender'
24    selection_disable_defender_services:
25        CommandLine|contains|all|windash:
26            - 'add'
27            - '/d'
28            - '1'
29        CommandLine|contains:
30            - 'DisableAntiSpyware'
31            - 'DisableAntiSpywareRealtimeProtection'
32            - 'DisableAntiVirus'
33            - 'DisableBehaviorMonitoring'
34            - 'DisableIOAVProtection'
35            - 'DisableOnAccessProtection'
36            - 'DisableRealtimeMonitoring'
37            - 'DisableRoutinelyTakingAction'
38            - 'DisableScanOnRealtimeEnable'
39            - 'DisableEnhancedNotifications'
40            - 'DisableBlockAtFirstSeen'
41            - 'DisableConfig'
42            - 'DisablePrivacyMode'
43            - 'DisableScriptScanning'
44            - 'DisableIntrusionPreventionSystem'
45    selection_disable_pus:
46        CommandLine|contains|all|windash:
47            - 'add'
48            - '/d'
49            - '0'
50        CommandLine|contains:
51            - 'MpEnablePus'
52            - 'SpynetReporting'
53    selection_disable_sample_submission:
54        CommandLine|contains|all|windash:
55            - 'add'
56            - '/d'
57            - '2'
58            - 'SubmitSamplesConsent'
59    condition: selection_base and 1 of selection_disable*
60falsepositives:
61    - Unknown
62level: high```

References

Related rules

to-top