Windows Defender Service Disabled - Registry
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
Sigma rule (View on GitHub)
1title: Windows Defender Service Disabled - Registry
2id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
3status: experimental
4description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
5references:
6 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
7 - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
8author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
9date: 2022/08/01
10modified: 2024/03/25
11tags:
12 - attack.defense_evasion
13 - attack.t1562.001
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 TargetObject|endswith: '\Services\WinDefend\Start'
20 Details: 'DWORD (0x00000004)'
21 condition: selection
22falsepositives:
23 - Administrator actions
24level: high
References
-
In this intrusion, we observed the threat actors use multiple DLL Beacons that would call out to different Cobalt Strike C2 channels. The threat actors used batch scripts during the intrusion for a number of purposes, primarily to disable antivirus programs and execute payloads.
Read More
Related rules
- Sysmon Driver Altitude Change
- Sysmon Configuration Update
- Uninstall Sysinternals Sysmon
- Github Push Protection Bypass Detected
- Github Push Protection Disabled