EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Windows Defender Registry Key Tampering Via Reg.EXE

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

MITRE ATT&CK

T1562.001
defense-evasion

Detection Query

selection_root_img:
  - Image|endswith: \reg.exe
  - OriginalFileName: reg.exe
selection_root_path:
  CommandLine|contains:
    - SOFTWARE\Microsoft\Windows Defender\
    - SOFTWARE\Policies\Microsoft\Windows Defender Security Center
    - SOFTWARE\Policies\Microsoft\Windows Defender\
selection_dword_0:
  CommandLine|contains|all:
    - " add "
    - d 0
  CommandLine|contains:
    - DisallowExploitProtectionOverride
    - EnableControlledFolderAccess
    - MpEnablePus
    - PUAProtection
    - SpynetReporting
    - SubmitSamplesConsent
    - TamperProtection
selection_dword_1:
  CommandLine|contains|all:
    - " add "
    - d 1
  CommandLine|contains:
    - DisableAccess
    - DisableAntiSpyware
    - DisableAntiSpywareRealtimeProtection
    - DisableAntiVirus
    - DisableAntiVirusSignatures
    - DisableArchiveScanning
    - DisableBehaviorMonitoring
    - DisableBlockAtFirstSeen
    - DisableCloudProtection
    - DisableConfig
    - DisableEnhancedNotifications
    - DisableIntrusionPreventionSystem
    - DisableIOAVProtection
    - DisableNetworkProtection
    - DisableOnAccessProtection
    - DisablePrivacyMode
    - DisableRealtimeMonitoring
    - DisableRoutinelyTakingAction
    - DisableScanOnRealtimeEnable
    - DisableScriptScanning
    - DisableSecurityCenter
    - Notification_Suppress
    - SignatureDisableUpdateOnStartupWithoutEngine
condition: all of selection_root_* and 1 of selection_dword_*

Author

Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)

Created

2022-03-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.defense-evasionattack.t1562.001
Raw Content
title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
id: 452bce90-6fb0-43cc-97a5-affc283139b3
status: test
description: |
    Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
references:
    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
    - https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
    - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
    - https://tria.ge/241231-j9yatstqbm/behavioral1
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-22
modified: 2025-06-04
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_root_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_root_path:
        CommandLine|contains:
            - 'SOFTWARE\Microsoft\Windows Defender\'
            - 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
            - 'SOFTWARE\Policies\Microsoft\Windows Defender\'
    selection_dword_0:
        CommandLine|contains|all:
            - ' add '
            - 'd 0'
        CommandLine|contains:
            - 'DisallowExploitProtectionOverride'
            - 'EnableControlledFolderAccess'
            - 'MpEnablePus'
            - 'PUAProtection'
            - 'SpynetReporting'
            - 'SubmitSamplesConsent'
            - 'TamperProtection'
    selection_dword_1:
        CommandLine|contains|all:
            - ' add '
            - 'd 1'
        CommandLine|contains:
            - 'DisableAccess'
            - 'DisableAntiSpyware'
            - 'DisableAntiSpywareRealtimeProtection'
            - 'DisableAntiVirus'
            - 'DisableAntiVirusSignatures'
            - 'DisableArchiveScanning'
            - 'DisableBehaviorMonitoring'
            - 'DisableBlockAtFirstSeen'
            - 'DisableCloudProtection'
            - 'DisableConfig'
            - 'DisableEnhancedNotifications'
            - 'DisableIntrusionPreventionSystem'
            - 'DisableIOAVProtection'
            - 'DisableNetworkProtection'
            - 'DisableOnAccessProtection'
            - 'DisablePrivacyMode'
            - 'DisableRealtimeMonitoring'
            - 'DisableRoutinelyTakingAction'
            - 'DisableScanOnRealtimeEnable'
            - 'DisableScriptScanning'
            - 'DisableSecurityCenter'
            - 'Notification_Suppress'
            - 'SignatureDisableUpdateOnStartupWithoutEngine'
    condition: all of selection_root_* and 1 of selection_dword_*
falsepositives:
    - Rare legitimate use by administrators to test software (should always be investigated)
level: high