Techniques
Sample rules
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the usage of “reg.exe” to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Detection logic
condition: all of selection_root_* and 1 of selection_dword_*
selection_dword_0:
CommandLine|contains:
- DisallowExploitProtectionOverride
- EnableControlledFolderAccess
- MpEnablePus
- PUAProtection
- SpynetReporting
- SubmitSamplesConsent
- TamperProtection
CommandLine|contains|all:
- ' add '
- d 0
selection_dword_1:
CommandLine|contains:
- DisableAntiSpyware
- DisableAntiSpywareRealtimeProtection
- DisableAntiVirus
- DisableArchiveScanning
- DisableBehaviorMonitoring
- DisableBlockAtFirstSeen
- DisableConfig
- DisableEnhancedNotifications
- DisableIntrusionPreventionSystem
- DisableIOAVProtection
- DisableOnAccessProtection
- DisablePrivacyMode
- DisableRealtimeMonitoring
- DisableRoutinelyTakingAction
- DisableScanOnRealtimeEnable
- DisableScriptScanning
- Notification_Suppress
- SignatureDisableUpdateOnStartupWithoutEngine
CommandLine|contains|all:
- ' add '
- d 1
selection_root_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_root_path:
CommandLine|contains:
- SOFTWARE\Microsoft\Windows Defender\
- SOFTWARE\Policies\Microsoft\Windows Defender Security Center
- SOFTWARE\Policies\Microsoft\Windows Defender\