Tampering of Windows Defender with Reg

Nov 29, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 ·

Detects use of the reg utility to tamper with MS Defender protections.

Sigma rule (View on GitHub)

 1title: Tampering of Windows Defender with Reg
 2id: ca11521c-5d9c-484f-b83a-14aa12df1201
 3status: experimental
 4description: Detects use of the reg utility to tamper with MS Defender protections.
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
 7    - https://www.elevenforum.com/t/enable-or-disable-automatic-sample-submission-for-microsoft-defender-antivirus-in-windows-11.4010/
 8author: Micah Babinski
 9date: 2022/11/26
10tags:
11    - attack.defense_evasion
12    - attack.t1562
13    - attack.t1562.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_base:
19        Image|endswith: '\reg.exe'
20    selection_disable_defender:
21        CommandLine|contains|all:
22            - 'delete'
23            - '\Software\Policies\Microsoft\Windows Defender'
24    selection_disable_defender_services:
25        CommandLine|contains|all|windash:
26            - 'add'
27            - '/d'
28            - '1'
29        CommandLine|contains:
30            - 'DisableAntiSpyware'
31            - 'DisableAntiSpywareRealtimeProtection'
32            - 'DisableAntiVirus'
33            - 'DisableBehaviorMonitoring'
34            - 'DisableIOAVProtection'
35            - 'DisableOnAccessProtection'
36            - 'DisableRealtimeMonitoring'
37            - 'DisableRoutinelyTakingAction'
38            - 'DisableScanOnRealtimeEnable'
39            - 'DisableEnhancedNotifications'
40            - 'DisableBlockAtFirstSeen'
41            - 'DisableConfig'
42            - 'DisablePrivacyMode'
43            - 'DisableScriptScanning'
44            - 'DisableIntrusionPreventionSystem'
45    selection_disable_pus:
46        CommandLine|contains|all|windash:
47            - 'add'
48            - '/d'
49            - '0'
50        CommandLine|contains:
51            - 'MpEnablePus'
52            - 'SpynetReporting'
53    selection_disable_sample_submission:
54        CommandLine|contains|all|windash:
55            - 'add'
56            - '/d'
57            - '2'
58            - 'SubmitSamplesConsent'
59    condition: selection_base and 1 of selection_disable*
60falsepositives:
61    - Unknown
62level: high```

References

https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

Read More
Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus in Windows 11 Tutorial

This tutorial will show you how to enable or disable automatic sample submission for Microsoft Defender Antivirus in Windows 11. Microsoft Defender Antivirus is an antivirus software that is included in Windows 11 and can help protect your device from viruses, malware, and other threats...

Read More

Tampering of Windows Defender with Reg

Sigma rule (View on GitHub)

References

https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/

Enable or Disable Automatic Sample Submission for Microsoft Defender Antivirus in Windows 11 Tutorial

Related rules