Disable Windows Defender Functionalities Via Registry Keys

calendar Aug 17, 2023 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedin copy

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Sigma rule (View on GitHub)

 1title: Disable Windows Defender Functionalities Via Registry Keys
 2id: 0eb46774-f1ab-4a74-8238-1155855f2263
 3related:
 4    - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
 5      type: obsoletes
 6    - id: fd115e64-97c7-491f-951c-fc8da7e042fa
 7      type: obsoletes
 8status: experimental
 9description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
10references:
11    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
12    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
13    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
14    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
15    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
16    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
17    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
18author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
19date: 2022/08/01
20modified: 2023/08/17
21tags:
22    - attack.defense_evasion
23    - attack.t1562.001
24logsource:
25    product: windows
26    category: registry_set
27detection:
28    selection_main:
29        TargetObject|contains:
30            - '\SOFTWARE\Microsoft\Windows Defender\'
31            - '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
32            - '\SOFTWARE\Policies\Microsoft\Windows Defender\'
33    selection_dword_1:
34        TargetObject|endswith:
35            - '\DisableAntiSpyware'
36            - '\DisableAntiVirus'
37            - '\Real-Time Protection\DisableBehaviorMonitoring'
38            - '\Real-Time Protection\DisableIntrusionPreventionSystem'
39            - '\Real-Time Protection\DisableIOAVProtection'
40            - '\Real-Time Protection\DisableOnAccessProtection'
41            - '\Real-Time Protection\DisableRealtimeMonitoring'
42            - '\Real-Time Protection\DisableScanOnRealtimeEnable'
43            - '\Real-Time Protection\DisableScriptScanning'
44            - '\Reporting\DisableEnhancedNotifications'
45            - '\SpyNet\DisableBlockAtFirstSeen'
46        Details: 'DWORD (0x00000001)'
47    selection_dword_0:
48        TargetObject|endswith:
49            - '\App and Browser protection\DisallowExploitProtectionOverride'
50            - '\Features\TamperProtection'
51            - '\MpEngine\MpEnablePus'
52            - '\PUAProtection'
53            - '\Signature Update\ForceUpdateFromMU'
54            - '\SpyNet\SpynetReporting'
55            - '\SpyNet\SubmitSamplesConsent'
56            - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
57        Details: 'DWORD (0x00000000)'
58    condition: selection_main and 1 of selection_dword_*
59falsepositives:
60    - Administrator actions via the Windows Defender interface
61level: high

References

  • IcedID to XingLocker Ransomware in 24 hours

    In this intrusion, we observed the threat actors use multiple DLL Beacons that would call out to different Cobalt Strike C2 channels. The threat actors used batch scripts during the intrusion for a number of purposes, primarily to disable antivirus programs and execute payloads.


    Read More

  • https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105


    Read More

  • Cannot connect to Mysql database...


    Read More

  • Ransomware: How Attackers are Breaching Corporate Networks

    Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.


    Read More

  • How to Enable or Disable Microsoft Defender Antivirus Potential Unwanted App (PUA) Protection in Windows 10 Starting with Windows 10 version 2004, Windows Defender Antivirus as been renamed to Micr...


    Read More

  • How to Enable or Disable Windows Defender Exploit Protection Settings in Windows 10 Starting with Windows 10 build 16232, you can now audit, configure, and manage Windows system and application exp...


    Read More

  • How to Turn On or Off Tamper Protection for Microsoft Defender Antivirus in Windows 10 Starting with Windows 10 version 2004, Windows Defender Antivirus as been renamed to Microsoft Defender Antivi...


    Read More

Related rules

to-top