Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
example:
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
Related
Ransomware
Reference:
https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml#L42
https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpyware
{{ mitre("T1562.001")}}
Data Source(s): Windows Registry
let selection_main = dynamic([@'\SOFTWARE\Microsoft\Windows Defender\', @'\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\',@'\SOFTWARE\Policies\Microsoft\Windows Defender\']);
let selection_dword_1 = dynamic(['DisableAntiSpyware','DisableAntiVirus', 'DisableBehaviorMonitoring','DisableIntrusionPreventionSystem', 'DisableIOAVProtection', 'DisableOnAccessProtection','DisableScanOnRealtimeEnable','DisableScriptScanning','DisableEnhancedNotifications', 'DisableBlockAtFirstSeen']);
let selection_dword_0 = dynamic(['DisallowExploitProtectionOverride', 'TamperProtection', 'MpEnablePus', 'PUAProtection', 'ForceUpdateFromMU','SubmitSamplesConsent','EnableControlledFolderAccess']);
let exclusion_defender = dynamic([@'c:\programdata\microsoft\windows defender',@'c:\program files\windows defender']); //Exclude activities from Microsoft Defender itself
let filter_folderPath = dynamic([@'c:\windows\system32\deviceenroller.exe',@'c:\windows\system32\omadmclient.exe', @'c:\windows\system32\hvsievaluator.exe']); //Exclude activities from known processes
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (selection_main)
| where (RegistryKey matches regex @"(?i)(\\Real-Time Protection|\\Reporting|\\SpyNet)$" and RegistryValueName has_any (selection_dword_1) and RegistryValueType =~ "Dword" and RegistryValueData == 1 )//DWORD (0x00000001)
or
(RegistryKey matches regex @"(?i)(\\App and Browser protection|\\Features|\\MpEngine|\\Signature Update|\\SpyNet|\\Windows Defender Exploit Guard\\Controlled Folder Access)$" and RegistryValueName has_any(selection_dword_0) and RegistryValueType =~ "Dword" and RegistryValueData == 0 )//DWORD (0x00000000)
| where not(InitiatingProcessFolderPath has_any (exclusion_defender) and InitiatingProcessFileName == "msmpeng.exe") //Exclude activities from Microsoft Defender itself
| where not(InitiatingProcessFolderPath has_any (filter_folderPath)) //Exclude activities from known processes
| where not(InitiatingProcessFolderPath == @'c:\windows\system32\svchost.exe' and InitiatingProcessCommandLine startswith "svchost.exe -k ") //exclude activities initiated from group policy
//| summarize count(), start_TimeStamp =min(TimeGenerated),last_TimeStamp=max(TimeGenerated), set_DeviceName=make_set(DeviceName), DeviceNum=dcount(DeviceName), set_RegistryValueName=make_set(RegistryValueName) by ActionType, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, TenantId
//| project start_TimeStamp, last_TimeStamp, ActionType, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, set_RegistryValueName, DeviceNum, set_DeviceName, count_, TenantId
- Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates.
- Inspect the InitiatingProcessFolderPath, InitiatingProcessFileName, and InitiatingProcessCommandLine, and see any suspicious process adding defender exclusion
- Check why Defender was disabled.
- Legitimate application adding folder exceptions to the registry key
- Group policy being used to disabling defender (added to exclusion-out of scope of this detection)
Version 2.0 (date: 07/02/2024)