Skip to content

T1562.001 Impair Defenses Disable Defender Functionalities Via Registry Keys

T1562.001 ImpairDefenses - Disable Defender Functionalities Via Registry Keys

DESCRIPTION

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

example:

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f

Related

Ransomware

Reference:

https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml#L42
https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpyware

ATT&CK TACTICS

T1562.001 - Impair Defenses: Disable or Modify Tools

Data Source(s): Windows Registry

SENTINEL RULE QUERY

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
let selection_main = dynamic([@'\SOFTWARE\Microsoft\Windows Defender\', @'\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\',@'\SOFTWARE\Policies\Microsoft\Windows Defender\']); 
let selection_dword_1 = dynamic(['DisableAntiSpyware','DisableAntiVirus', 'DisableBehaviorMonitoring','DisableIntrusionPreventionSystem', 'DisableIOAVProtection', 'DisableOnAccessProtection','DisableScanOnRealtimeEnable','DisableScriptScanning','DisableEnhancedNotifications',  'DisableBlockAtFirstSeen']); 
let selection_dword_0 = dynamic(['DisallowExploitProtectionOverride', 'TamperProtection', 'MpEnablePus', 'PUAProtection', 'ForceUpdateFromMU','SubmitSamplesConsent','EnableControlledFolderAccess']); 
let exclusion_defender = dynamic([@'c:\programdata\microsoft\windows defender',@'c:\program files\windows defender']); //Exclude activities from Microsoft Defender itself
let filter_folderPath = dynamic([@'c:\windows\system32\deviceenroller.exe',@'c:\windows\system32\omadmclient.exe', @'c:\windows\system32\hvsievaluator.exe']); //Exclude activities from known processes
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (selection_main)
| where (RegistryKey matches regex @"(?i)(\\Real-Time Protection|\\Reporting|\\SpyNet)$" and RegistryValueName has_any (selection_dword_1) and RegistryValueType =~ "Dword" and RegistryValueData == 1 )//DWORD (0x00000001) 
or 
(RegistryKey matches regex @"(?i)(\\App and Browser protection|\\Features|\\MpEngine|\\Signature Update|\\SpyNet|\\Windows Defender Exploit Guard\\Controlled Folder Access)$" and RegistryValueName has_any(selection_dword_0) and RegistryValueType =~ "Dword" and RegistryValueData == 0 )//DWORD (0x00000000) 
| where not(InitiatingProcessFolderPath has_any (exclusion_defender) and InitiatingProcessFileName == "msmpeng.exe") //Exclude activities from Microsoft Defender itself
| where not(InitiatingProcessFolderPath has_any (filter_folderPath)) //Exclude activities from known processes
| where not(InitiatingProcessFolderPath == @'c:\windows\system32\svchost.exe' and InitiatingProcessCommandLine startswith "svchost.exe -k ") //exclude activities initiated from group policy
//| summarize count(), start_TimeStamp =min(TimeGenerated),last_TimeStamp=max(TimeGenerated), set_DeviceName=make_set(DeviceName), DeviceNum=dcount(DeviceName), set_RegistryValueName=make_set(RegistryValueName) by ActionType, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, TenantId
//| project start_TimeStamp, last_TimeStamp, ActionType, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, set_RegistryValueName, DeviceNum, set_DeviceName, count_, TenantId

Triage

  1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates.
  2. Inspect the InitiatingProcessFolderPath, InitiatingProcessFileName, and InitiatingProcessCommandLine, and see any suspicious process adding defender exclusion
  3. Check why Defender was disabled.

FalsePositive

  1. Legitimate application adding folder exceptions to the registry key
  2. Group policy being used to disabling defender (added to exclusion-out of scope of this detection)

VERSION

Version 2.0 (date: 07/02/2024)