LoFP LoFP / it is unusual to turn this feature off a windows system since it is a default security control, although it is not rare for some policies to disable it. although no false positives have been identified, use the provided filter macro to tune the search.

Techniques

Sample rules

Windows Impair Defense Disable Win Defender App Guard

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender audit application guard. Microsoft Defender Application Guard provides enhanced security by isolating potentially malicious documents and websites in a containerized environment, protecting the system against various threats. Auditing and logging are essential components of security measures, providing visibility into activities within the isolated environment. Disabling auditing events within Application Guard might not be a standard or recommended practice since auditing is crucial for security monitoring and threat detection within the isolated container. However, there might be settings or configurations related to audit policies in the broader Windows Defender or operating system settings. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Policies\\Microsoft\\AppHVSI\\AuditApplicationGuard" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_win_defender_app_guard_filter`

Windows Impair Defense Disable Controlled Folder Access

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain folders from unauthorized access or modification by malicious applications, including ransomware. When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against unauthorized access by potentially malicious applications or ransomware is not enabled.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_controlled_folder_access_filter`

Windows Impair Defense Disable Win Defender Compute File Hashes

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender file hashes computation. The EnableFileHashComputation registry setting likely pertains to whether Windows Defender’s MpEngine (Malware Protection Engine) computes file hashes. Setting this value to 0 might disable the file hash computation feature within Windows Defender, which could affect certain malware detection or scanning functionalities that rely on file hash analysis. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\MpEngine\\EnableFileHashComputation" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_win_defender_compute_file_hashes_filter`

Windows Impair Defense Disable Win Defender Scan On Update

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender Scan On Update. The “DisableScanOnUpdate” registry setting in Windows Defender, when set to a value of 1, typically signifies the feature that prevents automatic scans from initiating when updates to Windows Defender or its antivirus definitions are installed. Any modifications to registry settings, it’s important to ensure that changes align with security policies and best practices. Incorrect settings might affect the system’s security or functionality. Always consider the implications and ensure changes are made based on accurate information and organizational requirements. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\DisableScanOnUpdate" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_win_defender_scan_on_update_filter`

Windows Impair Defense Set Win Defender Smart Screen Level To Warn

Description

The following analytic identifies a modification in the Windows registry to set windows defender smart screen level to warn. Setting the ShellSmartScreenLevel to warn implies a SmartScreen configuration where the system displays a warning prompt when users attempt to run or access potentially risky or unrecognized files or applications. This warning serves as a cautionary alert to users, advising them about the potential risks associated with the file or application they are trying to execute. Changing SmartScreen settings to “warn” might be employed by attackers to reduce the likelihood of triggering immediate suspicion from users when running malicious executables. By setting it to “warn,” the system prompts a cautionary warning rather than outright blocking the execution, potentially increasing the chances of users proceeding with running the file despite the warning.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\Windows\\System\\ShellSmartScreenLevel" Registry.registry_value_data="Warn" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_set_win_defender_smart_screen_level_to_warn_filter`

Windows Impair Defense Define Win Defender Threat Action

Description

The following analytic identifies a modification in the Windows registry to define the threat action of Windows Defender. The ThreatSeverityDefaultAction registry setting in Windows Defender is used to define the default action taken by Windows Defender when it encounters threats of specific severity levels. A setting like ThreatSeverityDefaultAction is designed to define how Windows Defender responds to threats based on their severity. For example, it might determine whether Windows Defender quarantines, removes, or takes other actions against threats based on their severity levels. In this context, a registry value of 1 typically indicates an action to “clean,” aiming to disinfect or resolve the detected threat, while a registry value of 9 signifies “no action,” meaning that the antivirus software refrains from taking immediate steps against the identified threat.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Threats\\ThreatSeverityDefaultAction*" Registry.registry_value_data IN ("0x00000001", "9") by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_define_win_defender_threat_action_filter`

Windows Impair Defense Disable Web Evaluation

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender web content evaluation. The “EnableWebContentEvaluation” registry entry typically relates to security settings within Microsoft Edge or Internet Explorer, enabling the evaluation of web content for security purposes. When attackers modify “EnableWebContentEvaluation” to 0, they might attempt to disable the browser’s capability to evaluate web content for security purposes. Disabling this feature could potentially impact the browser’s ability to assess the security risks associated with web content, such as potentially malicious scripts, active content, or unsafe web elements. By turning off content evaluation, attackers might aim to exploit security vulnerabilities present in web content without triggering security warnings or blocks. This manipulation increases the risk of users accessing or interacting with malicious content, potentially leading to security compromises or system exploitation.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation"  Registry.registry_value_data= "0x00000000" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_web_evaluation_filter`

Windows Impair Defense Delete Win Defender Context Menu

Description

The search looks for the deletion of Windows Defender context menu within the registry. This is consistent behavior with RAT malware across a fleet of endpoints. This particular behavior is executed when an adversary gains access to an endpoint and begins to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP" Registry.action = deleted by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_delete_win_defender_context_menu_filter`

Windows Impair Defense Disable Win Defender Network Protection

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender exploit guard network protection. The EnableNetworkProtection registry entry controls the activation or deactivation of Network Protection within Windows Defender Exploit Guard. When set to 1, it typically signifies that Network Protection is enabled, offering additional security measures against network-based threats by analyzing and blocking potentially malicious network activity. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_win_defender_network_protection_filter`

Windows Impair Defense Disable Realtime Signature Delivery

Description

The following analytic identifies a modification in the Windows registry to disable windows defender realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies. For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods such as through Windows Update or directly from Microsoft’s cloud-based services.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\RealtimeSignatureDelivery" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_realtime_signature_delivery_filter`

Windows Impair Defense Disable Win Defender Gen reports

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender generic ports. This registry can disable the sending of Watson events in Windows Defender. This is by preventing the transmission of generic or non-specific error reports to Microsoft’s Windows Error Reporting service, commonly known as Watson. This kind of setting could potentially be employed to limit or control the data sent to Microsoft for error analysis, often in scenarios where privacy or specific reporting requirements are in place. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\DisableGenericRePorts" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_win_defender_gen_reports_filter`

Windows Impair Defense Change Win Defender Throttle Rate

Description

The following analytic identifies a modification in the Windows registry to change the ThrottleDetectionEventsRate of Windows Defender. The ThrottleDetectionEventsRate registry setting in Windows Defender is related to controlling the rate at which detection events are logged or reported by Windows Defender Antivirus. This registry setting determines how frequently Windows Defender logs or reports detection events. Adjusting the ThrottleDetectionEventsRate value can impact the logging frequency of detection events such as malware detections, scanning results, or security-related events recorded by Windows Defender. A higher value might mean that detection events are reported less frequently, potentially reducing the volume of recorded events, while a lower value could increase the reporting frequency, resulting in more frequent logs of detection events.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\ThrottleDetectionEventsRate" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_change_win_defender_throttle_rate_filter`

Windows Impair Defense Disable Win Defender Report Infection

Description

The following analytic identifies a modification in the Windows registry to disable windows defender report infection information. Setting this registry key to 1, Instructs Windows Defender not to report detailed information about infections or threats detected on the system to Microsoft. Enabling this setting might limit or prevent the transmission of specific data related to infections, such as details about the detected malware, to Microsoft’s servers for analysis or logging purposes. This registry is being abused by adversaries, threat actors and red-teamers to bypasses Windows Defender detections.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\MRT\\DontReportInfectionInformation" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_win_defender_report_infection_filter`

Windows Impair Defense Change Win Defender Tracing Level

Description

The following analytic identifies a modification in the Windows registry to change the Windows Defender Wpp Tracing levels. The “WppTracingLevel” registry setting is typically related to Windows software tracing and diagnostics, specifically involving Windows Software Trace Preprocessor (WPP) tracing. WPP tracing is a mechanism used by developers to instrument code for diagnostic purposes, allowing for the collection of detailed logs and traces during software execution. It helps in understanding the behavior of the software, identifying issues, and analyzing its performance. Without specific documentation or references to “WppTracingLevel” within Windows Defender settings or its functionalities, it’s challenging to provide precise details about its intended use or configuration within Windows Defender. Modifying registry settings without understanding their implications can affect system behavior or security. Always proceed cautiously and ensure changes align with best practices and organizational requirements.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Reporting\\WppTracingLevel" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_change_win_defender_tracing_level_filter`

Windows Impair Defense Disable Defender Firewall And Network

Description

The following analytic identifies a modification in the Windows registry to disable firewall and network protection section settings of windows security. The specific impact of this change depends on the context and the purpose behind modifying this registry value. In general, setting UILockdown to 1 might imply enforcing a restriction or lockdown in the user interface (UI) related to firewall and network protection settings within Windows Defender Security Center. This could potentially restrict users from modifying certain firewall or network protection settings through the UI.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender Security Center\\Firewall and network protection\\UILockdown" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_defender_firewall_and_network_filter`

Windows Impair Defense Disable PUA Protection

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender PUA protection. Setting PUAProtection to 0 typically disables the detection and protection against Potentially Unwanted Applications by Microsoft Defender Antivirus. Potentially Unwanted Applications include software that may not be inherently malicious but could exhibit behaviors that users may find undesirable, such as adware, browser toolbars, or software bundlers. Disabling this feature might be preferred in certain situations, but it’s essential to consider potential security implications. Enabling PUA protection provides an additional layer of defense against software that might negatively impact user experience or security.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\PUAProtection" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_pua_protection_filter`

Windows Impair Defense Override SmartScreen Prompt

Description

The following analytic identifies a modification in the Windows registry to override windows defender smartscreen prompt. The “PreventSmartScreenPromptOverride” registry setting is associated with the Windows SmartScreen feature, specifically related to controlling whether users can override SmartScreen prompts. When attackers modify “PreventSmartScreenPromptOverride” to 0, it signifies an attempt to disable the prevention of user overrides for SmartScreen prompts. By doing so, attackers aim to allow users to bypass or ignore SmartScreen warnings or prompts. This change increases the risk by permitting users to disregard warnings about potentially unsafe or malicious files or websites that would typically trigger SmartScreen alerts. It could lead to users unintentionally executing or accessing malicious content, potentially resulting in security incidents or system compromises.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Microsoft\\Edge\\PreventSmartScreenPromptOverride" Registry.registry_value_data= "0x00000000" BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_override_smartscreen_prompt_filter`

Windows Impair Defense Disable Defender Protocol Recognition

Description

The following analytic identifies a modification in the Windows registry to disable Windows Defender protocol recognition feature. The DisableProtocolRecognition setting in Windows Defender is not a commonly known or documented registry setting. It’s possible that this specific setting might not exist within the standard Windows Defender configurations or that it might be specific to certain environments, versions, or configurations. It might potentially control or influence the antivirus software’s ability to recognize and handle specific protocols or communication methods used by malware or suspicious software.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\DisableProtocolRecognition" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_defender_protocol_recognition_filter`

Windows DisableAntiSpyware Registry

Description

The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This particular behavior is typically executed when an ransomware actor gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications. Endpoint should be isolated.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_value_name="DisableAntiSpyware" AND Registry.registry_value_data="0x00000001" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_data 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `windows_disableantispyware_registry_filter`

Windows Impair Defense Overide Win Defender Phishing Filter

Description

The following analytic identifies a modification in the Windows registry to disable windows defender phishing filter. This setting controls whether users can manually disable or modify the browser’s built-in phishing filter. When attackers modify “PreventOverride” to 0, it might indicate an attempt to disable the prevention of user overrides for the phishing filter within Microsoft Edge. This change allows users to bypass or disable the built-in phishing protection provided by the browser. By allowing users to override the phishing filter, attackers may attempt to deceive users into visiting phishing websites or malicious pages without triggering warnings or protections from the browser’s built-in security measures. This manipulation increases the risk of users unknowingly accessing potentially harmful websites, leading to potential security incidents or compromises.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_key_name = "*\\MicrosoftEdge\\PhishingFilter" Registry.registry_value_name IN ("EnabledV9", "PreventOverride") Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_overide_win_defender_phishing_filter_filter`

Windows Impair Defense Disable Win Defender Signature Retirement

Description

The following analytic identifies a modification in the Windows registry to disable windows defender Signature Retirement. The DisableSignatureRetirement registry setting in Windows Defender controls the retirement or expiration of antivirus signatures used by Windows Defender Antivirus. When DisableSignatureRetirement is set to 1, it usually indicates that Windows Defender won’t automatically retire or expire antivirus signatures. Antivirus signatures are files containing information about known malware and are used by Windows Defender to detect and protect against threats. Disabling signature retirement might prevent Windows Defender from automatically removing or retiring older or less relevant antivirus signatures. This can potentially increase the number of signatures in use and might impact system resources or the effectiveness of threat detection.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\Consumers\\IPS\\DisableSignatureRetirement" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_disable_win_defender_signature_retirement_filter`

Windows Impair Defense Change Win Defender Health Check Intervals

Description

The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender. Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings. However, it’s important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may have specific accepted values or a defined range that differs from a simple binary representation. Changing registry values, especially those related to system services, should be approached cautiously. Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and have a backup before altering registry settings.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\ServiceKeepAlive" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_change_win_defender_health_check_intervals_filter`

Windows Impair Defense Configure App Install Control

Description

The following analytic identifies a modification in the Windows registry to change or disable Windows Defender smartscreen app install control. Microsoft Edge’s App Install Control feature helps manage the installation of web-based applications. When attackers modify “ConfigureAppInstallControlEnabled” to 0, they are likely attempting to disable the App Install Control feature in Microsoft Edge. This change might allow users to bypass restrictions imposed by the browser on the installation of web-based applications. Disabling this feature might increase the risk of users being able to install potentially malicious or untrusted web applications without restrictions or controls imposed by the browser. This action could potentially lead to security vulnerabilities or compromise if users inadvertently install harmful applications.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControl" Registry.registry_value_data= "Anywhere") OR (Registry.registry_path= "*\\Microsoft\\Windows Defender\\SmartScreen\\ConfigureAppInstallControlEnabled" Registry.registry_value_data= "0x00000000") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_configure_app_install_control_filter`

Windows Impair Defenses Disable Win Defender Auto Logging

Description

The search looks for the Registry Key DefenderApiLogger or DefenderAuditLogger set to disable. This is consistent with RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path = "*WMI\\Autologger\\DefenderApiLogger\\Start" OR Registry.registry_path = "*WMI\\Autologger\\DefenderAuditLogger\\Start")  Registry.registry_value_data ="0x00000000" by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defenses_disable_win_defender_auto_logging_filter`

Windows Impair Defense Delete Win Defender Profile Registry

Description

The search looks for the deletion of Windows Defender main profile within the registry. This was used by RAT malware across a fleet of endpoints. This particular behavior is typically executed when an adversary gains access to an endpoint and beings to perform execution. Usually, a batch (.bat) will be executed and multiple registry and scheduled task modifications will occur. During triage, review parallel processes and identify any further file modifications.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender" Registry.action = deleted by  Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action  Registry.user Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_delete_win_defender_profile_registry_filter`

Windows Impair Defense Change Win Defender Quick Scan Interval

Description

The following analytic identifies a modification in the Windows registry to change Windows Defender Quick Scan Interval. The “QuickScanInterval” in Windows Defender, specifically within the context of antivirus software, typically refers to the interval or frequency at which the system conducts quick scans for malware or potential threats. This setting dictates how often Windows Defender performs quick scans on the system. Quick scans are less comprehensive than full system scans but provide a faster way to check critical areas for potential threats or malware. This registry setting is being abuse by several threat actors, adversaries and red teamers to bypasses Windows defender detections.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Scan\\QuickScanInterval" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_impair_defense_change_win_defender_quick_scan_interval_filter`