Disable Windows Defender Functionalities Via Registry Keys

 1title: Disable Windows Defender Functionalities Via Registry Keys
 2id: 0eb46774-f1ab-4a74-8238-1155855f2263
 3related:
 4    - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
 5      type: obsoletes
 6    - id: fd115e64-97c7-491f-951c-fc8da7e042fa
 7      type: obsoletes
 8status: experimental
 9description: Detects when attackers or tools disable Windows Defender functionalities via the windows registry
10references:
11    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
12    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
13    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
14    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
15author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali
16date: 2022/08/01
17modified: 2023/03/14
18tags:
19    - attack.defense_evasion
20    - attack.t1562.001
21logsource:
22    product: windows
23    category: registry_set
24detection:
25    selection_main:
26        EventType: SetValue
27        TargetObject|contains: '\SOFTWARE\Microsoft\Windows Defender\'
28    selection_dword_1:
29        TargetObject|endswith:
30            - '\Real-Time Protection\DisableBehaviorMonitoring'
31            - '\Real-Time Protection\DisableIOAVProtection'
32            - '\Real-Time Protection\DisableOnAccessProtection'
33            - '\Real-Time Protection\DisableRealtimeMonitoring'
34            - '\Real-Time Protection\DisableScanOnRealtimeEnable'
35            - '\Reporting\DisableEnhancedNotifications'
36            - '\SpyNet\DisableBlockAtFirstSeen'
37            - '\DisableAntiSpyware'
38            - '\DisableAntiVirus'
39        Details: 'DWORD (0x00000001)'
40    selection_dword_0:
41        TargetObject|endswith:
42            - '\SpyNet\SpynetReporting'
43            - '\SpyNet\SubmitSamplesConsent'
44            - '\MpEngine\MpEnablePus'
45        Details: 'DWORD (0x00000000)'
46    condition: selection_main and 1 of selection_dword_*
47falsepositives:
48    - Administrator actions
49level: high