Disable Windows Defender Functionalities Via Registry Keys

 1title: Disable Windows Defender Functionalities Via Registry Keys
 2id: 0eb46774-f1ab-4a74-8238-1155855f2263
 3related:
 4    - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
 5      type: obsolete
 6    - id: fd115e64-97c7-491f-951c-fc8da7e042fa
 7      type: obsolete
 8status: test
 9description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
10references:
11    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
12    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
13    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
14    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
15    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
16    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
17    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
18    - https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
19author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
20date: 2022-08-01
21modified: 2024-10-07
22tags:
23    - attack.defense-evasion
24    - attack.t1562.001
25logsource:
26    product: windows
27    category: registry_set
28detection:
29    selection_main:
30        TargetObject|contains:
31            - '\SOFTWARE\Microsoft\Windows Defender\'
32            - '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
33            - '\SOFTWARE\Policies\Microsoft\Windows Defender\'
34    selection_dword_1:
35        TargetObject|endswith:
36            - '\DisableAntiSpyware'
37            - '\DisableAntiVirus'
38            - '\DisableBehaviorMonitoring'
39            - '\DisableBlockAtFirstSeen'
40            - '\DisableEnhancedNotifications'
41            - '\DisableIntrusionPreventionSystem'
42            - '\DisableIOAVProtection'
43            - '\DisableOnAccessProtection'
44            - '\DisableRealtimeMonitoring'
45            - '\DisableScanOnRealtimeEnable'
46            - '\DisableScriptScanning'
47        Details: 'DWORD (0x00000001)'
48    selection_dword_0:
49        TargetObject|endswith:
50            - '\DisallowExploitProtectionOverride'
51            - '\Features\TamperProtection'
52            - '\MpEngine\MpEnablePus'
53            - '\PUAProtection'
54            - '\Signature Update\ForceUpdateFromMU'
55            - '\SpyNet\SpynetReporting'
56            - '\SpyNet\SubmitSamplesConsent'
57            - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
58        Details: 'DWORD (0x00000000)'
59    filter_optional_symantec:
60        Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
61        Image|endswith: '\sepWscSvc64.exe'
62    condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
63falsepositives:
64    - Administrator actions via the Windows Defender interface
65    - Third party Antivirus
66level: high

References

• IcedID to XingLocker Ransomware in 24 hours

  

  Intro Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May o…

  
  Read More

• https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105

  
  Read More

• Configure Microsoft SpyNet Reporting

  Adjusts membership in Microsoft SpyNet.

  
  Read More

• Ransomware: How Attackers are Breaching Corporate Networks

  

  Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.

  
  Read More

• How to Enable or Disable Microsoft Defender Antivirus Potential Unwanted App (PUA) Protection in Windows 10 Starting with Windows 10 version 2004, Windows Defender Antivirus as been renamed to Micr...

  
  Read More

• How to Enable or Disable Windows Defender Exploit Protection Settings in Windows 10 Starting with Windows 10 build 16232, you can now audit, configure, and manage Windows system and application exp...

  
  Read More

• How to Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 10 Starting with Windows 10 version 2004, Windows Defender Antivirus as been renamed to Microsoft Defender Antivi...

  
  Read More

• Key Group: another ransomware group using leaked builders

  

  Kaspersky experts studied the activity of Key Group, which utilizes publicly available builders for ransomware and wipers, as well as GitHub and Telegram.

  
  Read More

Related rules

• Load Of RstrtMgr.DLL By A Suspicious Process
• Load Of RstrtMgr.DLL By An Uncommon Process
• Suspicious Path In Keyboard Layout IME File Registry Value
• Uncommon Extension In Keyboard Layout IME File Registry Value
• Windows Defender Exclusion Registry Key - Write Access Requested