Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Sigma rule (View on GitHub)
1title: Disable Windows Defender Functionalities Via Registry Keys
2id: 0eb46774-f1ab-4a74-8238-1155855f2263
3related:
4 - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
5 type: obsoletes
6 - id: fd115e64-97c7-491f-951c-fc8da7e042fa
7 type: obsoletes
8status: experimental
9description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
10references:
11 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
12 - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
13 - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
14 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
15 - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
16 - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
17 - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
18author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
19date: 2022/08/01
20modified: 2023/08/17
21tags:
22 - attack.defense_evasion
23 - attack.t1562.001
24logsource:
25 product: windows
26 category: registry_set
27detection:
28 selection_main:
29 TargetObject|contains:
30 - '\SOFTWARE\Microsoft\Windows Defender\'
31 - '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
32 - '\SOFTWARE\Policies\Microsoft\Windows Defender\'
33 selection_dword_1:
34 TargetObject|endswith:
35 - '\DisableAntiSpyware'
36 - '\DisableAntiVirus'
37 - '\Real-Time Protection\DisableBehaviorMonitoring'
38 - '\Real-Time Protection\DisableIntrusionPreventionSystem'
39 - '\Real-Time Protection\DisableIOAVProtection'
40 - '\Real-Time Protection\DisableOnAccessProtection'
41 - '\Real-Time Protection\DisableRealtimeMonitoring'
42 - '\Real-Time Protection\DisableScanOnRealtimeEnable'
43 - '\Real-Time Protection\DisableScriptScanning'
44 - '\Reporting\DisableEnhancedNotifications'
45 - '\SpyNet\DisableBlockAtFirstSeen'
46 Details: 'DWORD (0x00000001)'
47 selection_dword_0:
48 TargetObject|endswith:
49 - '\App and Browser protection\DisallowExploitProtectionOverride'
50 - '\Features\TamperProtection'
51 - '\MpEngine\MpEnablePus'
52 - '\PUAProtection'
53 - '\Signature Update\ForceUpdateFromMU'
54 - '\SpyNet\SpynetReporting'
55 - '\SpyNet\SubmitSamplesConsent'
56 - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
57 Details: 'DWORD (0x00000000)'
58 condition: selection_main and 1 of selection_dword_*
59falsepositives:
60 - Administrator actions via the Windows Defender interface
61level: high
References
Related rules
- Disable Exploit Guard Network Protection on Windows Defender
- Disable PUA Protection on Windows Defender
- Disable Privacy Settings Experience in Registry
- Disable Tamper Protection on Windows Defender
- Disabled Windows Defender Eventlog