admin or user may choose to disable windows defender product

Techniques

Sample rules

Disable Defender Spynet Reporting

source: splunk
technicques:
- T1562.001
- T1562

Description

This analytic is intended to detect a suspicious modification of registry to disable Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV product, specifically the spynet reporting for Defender telemetry.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest  
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disable_defender_spynet_reporting_filter`

Disable Defender MpEngine Registry

source: splunk
technicques:
- T1562.001
- T1562

Description

This particular behavior is typically executed when an adversary or malware gains access to an endpoint and begins to perform execution and to evade detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disable_defender_mpengine_registry_filter`

Disable Defender AntiVirus Registry

source: splunk
technicques:
- T1562.001
- T1562

Description

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disable_defender_antivirus_registry_filter`

Disabling Defender Services

source: splunk
technicques:
- T1562.001
- T1562

Description

This particular behavior is typically executed when an adversaries or malware gains access to an endpoint and beings to perform execution and to evade detections. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\System\\CurrentControlSet\\Services\\*" AND (Registry.registry_path IN("*WdBoot*", "*WdFilter*", "*WdNisDrv*", "*WdNisSvc*","*WinDefend*", "*SecurityHealthService*")) AND Registry.registry_value_name = Start Registry.registry_value_data = 0x00000004) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disabling_defender_services_filter`

Disable Defender BlockAtFirstSeen Feature

source: splunk
technicques:
- T1562.001
- T1562

Description

This analytic is intended to detect a suspicious modification of the Windows registry to disable a Windows Defender feature. This technique is intended to bypass or evade detection from Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks suspicious files the first time seen on the host.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.user Registry.dest 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disable_defender_blockatfirstseen_feature_filter`

source: splunk
technicques:
- T1562.001
- T1562

Description

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.user Registry.dest Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `disable_defender_submit_samples_consent_feature_filter`

Techniques

Sample rules

Disable Defender Spynet Reporting

Description

Detection logic

Disable Defender MpEngine Registry

Description

Detection logic

Disable Defender AntiVirus Registry

Description

Detection logic

Disabling Defender Services

Description

Detection logic

Disable Defender BlockAtFirstSeen Feature

Description

Detection logic

Disable Defender Submit Samples Consent Feature

Description

Detection logic