administrator actions via the windows defender interface

Techniques

Sample rules

Disable Windows Defender Functionalities Via Registry Keys

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Detection logic

condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
filter_optional_symantec:
  Image|endswith: \sepWscSvc64.exe
  Image|startswith: C:\Program Files\Symantec\Symantec Endpoint Protection\
selection_dword_0:
  Details: DWORD (0x00000000)
  TargetObject|endswith:
  - \DisallowExploitProtectionOverride
  - \Features\TamperProtection
  - \MpEngine\MpEnablePus
  - \PUAProtection
  - \Signature Update\ForceUpdateFromMU
  - \SpyNet\SpynetReporting
  - \SpyNet\SubmitSamplesConsent
  - \Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess
selection_dword_1:
  Details: DWORD (0x00000001)
  TargetObject|endswith:
  - \DisableAntiSpyware
  - \DisableAntiVirus
  - \DisableBehaviorMonitoring
  - \DisableBlockAtFirstSeen
  - \DisableEnhancedNotifications
  - \DisableIntrusionPreventionSystem
  - \DisableIOAVProtection
  - \DisableOnAccessProtection
  - \DisableRealtimeMonitoring
  - \DisableScanOnRealtimeEnable
  - \DisableScriptScanning
selection_main:
  TargetObject|contains:
  - \SOFTWARE\Microsoft\Windows Defender\
  - \SOFTWARE\Policies\Microsoft\Windows Defender Security Center\
  - \SOFTWARE\Policies\Microsoft\Windows Defender\