← Back to Explore
sigmahighHunting
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Detection Query
selection_main:
TargetObject|contains:
- \SOFTWARE\Microsoft\Windows Defender\
- \SOFTWARE\Policies\Microsoft\Windows Defender Security Center\
- \SOFTWARE\Policies\Microsoft\Windows Defender\
selection_dword_1:
TargetObject|endswith:
- \DisableAntiSpyware
- \DisableAntiVirus
- \DisableBehaviorMonitoring
- \DisableBlockAtFirstSeen
- \DisableEnhancedNotifications
- \DisableIntrusionPreventionSystem
- \DisableIOAVProtection
- \DisableOnAccessProtection
- \DisableRealtimeMonitoring
- \DisableScanOnRealtimeEnable
- \DisableScriptScanning
Details: DWORD (0x00000001)
selection_dword_0:
TargetObject|endswith:
- \DisallowExploitProtectionOverride
- \Features\TamperProtection
- \MpEngine\MpEnablePus
- \PUAProtection
- \Signature Update\ForceUpdateFromMU
- \SpyNet\SpynetReporting
- \SpyNet\SubmitSamplesConsent
- \Windows Defender Exploit Guard\Controlled Folder
Access\EnableControlledFolderAccess
Details: DWORD (0x00000000)
filter_optional_symantec:
Image|startswith: C:\Program Files\Symantec\Symantec Endpoint Protection\
Image|endswith: \sepWscSvc64.exe
condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
Author
AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
Created
2022-08-01
Data Sources
windowsRegistry Set Events
Platforms
windows
References
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
Tags
attack.defense-evasionattack.t1562.001
Raw Content
title: Disable Windows Defender Functionalities Via Registry Keys
id: 0eb46774-f1ab-4a74-8238-1155855f2263
related:
- id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
type: obsolete
- id: fd115e64-97c7-491f-951c-fc8da7e042fa
type: obsolete
status: test
description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
date: 2022-08-01
modified: 2024-10-07
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows Defender\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_1:
TargetObject|endswith:
- '\DisableAntiSpyware'
- '\DisableAntiVirus'
- '\DisableBehaviorMonitoring'
- '\DisableBlockAtFirstSeen'
- '\DisableEnhancedNotifications'
- '\DisableIntrusionPreventionSystem'
- '\DisableIOAVProtection'
- '\DisableOnAccessProtection'
- '\DisableRealtimeMonitoring'
- '\DisableScanOnRealtimeEnable'
- '\DisableScriptScanning'
Details: 'DWORD (0x00000001)'
selection_dword_0:
TargetObject|endswith:
- '\DisallowExploitProtectionOverride'
- '\Features\TamperProtection'
- '\MpEngine\MpEnablePus'
- '\PUAProtection'
- '\Signature Update\ForceUpdateFromMU'
- '\SpyNet\SpynetReporting'
- '\SpyNet\SubmitSamplesConsent'
- '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
Details: 'DWORD (0x00000000)'
filter_optional_symantec:
Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
Image|endswith: '\sepWscSvc64.exe'
condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
falsepositives:
- Administrator actions via the Windows Defender interface
- Third party Antivirus
level: high