Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Sigma rule (View on GitHub)
1title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
2id: 452bce90-6fb0-43cc-97a5-affc283139b3
3status: test
4description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
5references:
6 - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
7 - https://github.com/swagkarna/Defeat-Defender-V1.2.0
8 - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
9author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
10date: 2022-03-22
11modified: 2023-06-05
12tags:
13 - attack.defense-evasion
14 - attack.t1562.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_root_img:
20 - Image|endswith: '\reg.exe'
21 - OriginalFileName: 'reg.exe'
22 selection_root_path:
23 CommandLine|contains:
24 - 'SOFTWARE\Microsoft\Windows Defender\'
25 - 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
26 - 'SOFTWARE\Policies\Microsoft\Windows Defender\'
27 selection_dword_0:
28 CommandLine|contains|all:
29 - ' add '
30 - 'd 0'
31 CommandLine|contains:
32 - 'DisallowExploitProtectionOverride'
33 - 'EnableControlledFolderAccess'
34 - 'MpEnablePus'
35 - 'PUAProtection'
36 - 'SpynetReporting'
37 - 'SubmitSamplesConsent'
38 - 'TamperProtection'
39 selection_dword_1:
40 CommandLine|contains|all:
41 - ' add '
42 - 'd 1'
43 CommandLine|contains:
44 - 'DisableAntiSpyware'
45 - 'DisableAntiSpywareRealtimeProtection'
46 - 'DisableAntiVirus'
47 - 'DisableArchiveScanning'
48 - 'DisableBehaviorMonitoring'
49 - 'DisableBlockAtFirstSeen'
50 - 'DisableConfig'
51 - 'DisableEnhancedNotifications'
52 - 'DisableIntrusionPreventionSystem'
53 - 'DisableIOAVProtection'
54 - 'DisableOnAccessProtection'
55 - 'DisablePrivacyMode'
56 - 'DisableRealtimeMonitoring'
57 - 'DisableRoutinelyTakingAction'
58 - 'DisableScanOnRealtimeEnable'
59 - 'DisableScriptScanning'
60 - 'Notification_Suppress'
61 - 'SignatureDisableUpdateOnStartupWithoutEngine'
62 condition: all of selection_root_* and 1 of selection_dword_*
63falsepositives:
64 - Rare legitimate use by administrators to test software (should always be investigated)
65level: high
References
-
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities an…
Read More -
Powerful batch script to dismantle complete windows defender protection and even bypass tamper protection ..Disable Windows-Defender Permanently....Hack windows. POC - swagkarna/Defeat-Defender-V1.2.0
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility