Disable Windows Defender Functionalities Via Registry Keys

    Wednesday, October 9, 2024 In: Threat Research Print

    Date: 10/09/2024

    Severity: Medium

    Summary

    "Disable Windows Defender Functionalities Via Registry Keys" involves altering specific registry settings to turn off or limit the capabilities of Windows Defender, Microsoft's built-in antivirus software. This technique is often employed by malware to evade detection and maintain persistence on an infected system. By modifying these keys, attackers can disable real-time protection, cloud-based protection, and other security features, making it easier to execute malicious activities without being blocked. Awareness of this method is essential for cybersecurity professionals to enhance defenses and respond to potential threats effectively.

    Indicators of Compromise (IOC) List

    Image

    'C:\Program Files\Symantec\Symantec Endpoint Protection\'

    '\sepWscSvc64.exe'

    TargetObject

    '\SOFTWARE\Microsoft\Windows Defender\'

    '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'

    '\SOFTWARE\Policies\Microsoft\Windows Defender\'

    '\DisableAntiSpyware'

    '\DisableAntiVirus'

    '\DisableBehaviorMonitoring'

    '\DisableBlockAtFirstSeen'

    '\DisableEnhancedNotifications'

    '\DisableIntrusionPreventionSystem'

    '\DisableIOAVProtection'

    '\DisableOnAccessProtection'

    '\DisableRealtimeMonitoring'

    '\DisableScanOnRealtimeEnable'

    '\DisableScriptScanning'

    '\DisallowExploitProtectionOverride'

    '\Features\TamperProtection'

    '\MpEngine\MpEnablePus'

    '\PUAProtection'

    '\Signature Update\ForceUpdateFromMU'

    '\SpyNet\SpynetReporting'

    '\SpyNet\SubmitSamplesConsent'

    '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'

    Details

    'DWORD (0x00000001)'

    'DWORD (0x00000000)'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    (((resourcename in ("Sysmon") AND eventtype = "13") AND image IN ("C:\Program Files\Symantec\Symantec Endpoint Protection","\sepWscSvc64.exe")) AND targetobject IN ("\SOFTWARE\Microsoft\Windows Defender","\SOFTWARE\Policies\Microsoft\Windows Defender Security Center","\SOFTWARE\Policies\Microsoft\Windows Defender","\DisableAntiSpyware","\DisableAntiVirus","\DisableBehaviorMonitoring","\DisableBlockAtFirstSeen","\DisableEnhancedNotifications","\DisableIntrusionPreventionSystem","\DisableIOAVProtection","\DisableOnAccessProtection","\DisableRealtimeMonitoring","\DisableScanOnRealtimeEnable","\DisableScriptScanning","\DisallowExploitProtectionOverride","\Features\TamperProtection","\MpEngine\MpEnablePus","\PUAProtection","\Signature Update\ForceUpdateFromMU","\SpyNet\SpynetReporting","\SpyNet\SubmitSamplesConsent","\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess")) AND Details IN ("DWORD (0x00000001)","DWORD (0x00000000)")

    Detection Query 2

    (((technologygroup = "EDR") AND image IN ("C:\Program Files\Symantec\Symantec Endpoint Protection","\sepWscSvc64.exe")) AND targetobject IN ("\SOFTWARE\Microsoft\Windows Defender","\SOFTWARE\Policies\Microsoft\Windows Defender Security Center","\SOFTWARE\Policies\Microsoft\Windows Defender","\DisableAntiSpyware","\DisableAntiVirus","\DisableBehaviorMonitoring","\DisableBlockAtFirstSeen","\DisableEnhancedNotifications","\DisableIntrusionPreventionSystem","\DisableIOAVProtection","\DisableOnAccessProtection","\DisableRealtimeMonitoring","\DisableScanOnRealtimeEnable","\DisableScriptScanning","\DisallowExploitProtectionOverride","\Features\TamperProtection","\MpEngine\MpEnablePus","\PUAProtection","\Signature Update\ForceUpdateFromMU","\SpyNet\SpynetReporting","\SpyNet\SubmitSamplesConsent","\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess")) AND Details IN ("DWORD (0x00000001)","DWORD (0x00000000)")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml 


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.