Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Sigma rule (View on GitHub)
1title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
2id: 452bce90-6fb0-43cc-97a5-affc283139b3
3status: test
4description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
5references:
6 - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
7 - https://github.com/swagkarna/Defeat-Defender-V1.2.0
8 - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
9author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
10date: 2022/03/22
11modified: 2023/06/05
12tags:
13 - attack.defense_evasion
14 - attack.t1562.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_root_img:
20 - Image|endswith: '\reg.exe'
21 - OriginalFileName: 'reg.exe'
22 selection_root_path:
23 CommandLine|contains:
24 - 'SOFTWARE\Microsoft\Windows Defender\'
25 - 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
26 - 'SOFTWARE\Policies\Microsoft\Windows Defender\'
27 selection_dword_0:
28 CommandLine|contains|all:
29 - ' add '
30 - 'd 0'
31 CommandLine|contains:
32 - 'DisallowExploitProtectionOverride'
33 - 'EnableControlledFolderAccess'
34 - 'MpEnablePus'
35 - 'PUAProtection'
36 - 'SpynetReporting'
37 - 'SubmitSamplesConsent'
38 - 'TamperProtection'
39 selection_dword_1:
40 CommandLine|contains|all:
41 - ' add '
42 - 'd 1'
43 CommandLine|contains:
44 - 'DisableAntiSpyware'
45 - 'DisableAntiSpywareRealtimeProtection'
46 - 'DisableAntiVirus'
47 - 'DisableArchiveScanning'
48 - 'DisableBehaviorMonitoring'
49 - 'DisableBlockAtFirstSeen'
50 - 'DisableConfig'
51 - 'DisableEnhancedNotifications'
52 - 'DisableIntrusionPreventionSystem'
53 - 'DisableIOAVProtection'
54 - 'DisableOnAccessProtection'
55 - 'DisablePrivacyMode'
56 - 'DisableRealtimeMonitoring'
57 - 'DisableRoutinelyTakingAction'
58 - 'DisableScanOnRealtimeEnable'
59 - 'DisableScriptScanning'
60 - 'Notification_Suppress'
61 - 'SignatureDisableUpdateOnStartupWithoutEngine'
62 condition: all of selection_root_* and 1 of selection_dword_*
63falsepositives:
64 - Rare legitimate use by administrators to test software (should always be investigated)
65level: high
References
-
In this intrusion, we observed the initial exploitation of the ProxyShell vulnerabilities followed by some further post-exploitation activity, which included web shells, credential dumping, and specialized payloads.
Read More -
Powerful batch script to dismantle complete windows defender protection and even bypass tamper protection ..Disable Windows-Defender Permanently....Hack windows. POC - swagkarna/Defeat-Defender-V1.2.0
Read More -
The following code (which I did NOT compose) was highly useful in disabling Windows Defender for me. I got it from one of Freebooter's videos: :: How to Permanently Disable Windows Defender Antivirus in Windows 11 @Echo Off & Cls net sess>nul 2>&1||(powershell start cmd -ArgumentList """/c...
Read More
Related rules
- Potential AMSI Bypass Script Using NULL Bits
- Potential AMSI Bypass Using NULL Bits
- Add SafeBoot Keys Via Reg Utility
- Sysmon Driver Altitude Change
- Windows Defender Service Disabled - Registry