Techniques
Sample rules
Disable Windows Defender Functionalities Via Registry Keys
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
Detection logic
condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
filter_optional_symantec:
Image|endswith: \sepWscSvc64.exe
Image|startswith: C:\Program Files\Symantec\Symantec Endpoint Protection\
selection_dword_0:
Details: DWORD (0x00000000)
TargetObject|endswith:
- \App and Browser protection\DisallowExploitProtectionOverride
- \Features\TamperProtection
- \MpEngine\MpEnablePus
- \PUAProtection
- \Signature Update\ForceUpdateFromMU
- \SpyNet\SpynetReporting
- \SpyNet\SubmitSamplesConsent
- \Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess
selection_dword_1:
Details: DWORD (0x00000001)
TargetObject|endswith:
- \DisableAntiSpyware
- \DisableAntiVirus
- \Real-Time Protection\DisableBehaviorMonitoring
- \Real-Time Protection\DisableIntrusionPreventionSystem
- \Real-Time Protection\DisableIOAVProtection
- \Real-Time Protection\DisableOnAccessProtection
- \Real-Time Protection\DisableRealtimeMonitoring
- \Real-Time Protection\DisableScanOnRealtimeEnable
- \Real-Time Protection\DisableScriptScanning
- \Reporting\DisableEnhancedNotifications
- \SpyNet\DisableBlockAtFirstSeen
selection_main:
TargetObject|contains:
- \SOFTWARE\Microsoft\Windows Defender\
- \SOFTWARE\Policies\Microsoft\Windows Defender Security Center\
- \SOFTWARE\Policies\Microsoft\Windows Defender\