Windows Defender PUA Protection Disabled via Registry Modification

Attackers may attempt to disable Windows Defender PUA protection to facilitate the installation of malware or other unwanted software. This involves modifying the PUAProtection registry value under the Windows Defender key to 0, effectively turning off the protection against potentially unwanted applications. Disabling PUA protection increases the attack surface of the system, making it easier for attackers to introduce adware, browser toolbars, or other unwanted software. This can negatively impact user experience, productivity, and overall system security. The observed activity leverages registry modifications, specifically targeting the Windows Defender configuration.

Attack Chain

1. An attacker gains initial access to the system, potentially through phishing or exploiting a software vulnerability.
2. The attacker elevates privileges to obtain the necessary permissions to modify the registry.
3. The attacker executes a command or script to modify the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection.
4. The registry value PUAProtection is set to 0x00000000, disabling PUA protection.
5. The attacker attempts to download and execute potentially unwanted applications (PUAs) or malware.
6. Because PUA protection is disabled, the downloaded files are allowed to execute without triggering a warning.
7. The attacker may use the installed PUAs as a beachhead for further exploitation or data exfiltration.

Impact

Disabling PUA protection allows attackers to install potentially unwanted applications and malware on the affected system without triggering Windows Defender warnings. This can lead to system compromise, data theft, and a degraded user experience. Successful exploitation can result in the installation of adware, browser hijackers, or more sophisticated malware such as ransomware or keyloggers. The lack of PUA protection increases the likelihood of successful malware infections and reduces the overall security posture of the system.

Recommendation

• Enable Sysmon EventID 13 to monitor registry modifications (as indicated by the data_source in the source).
• Deploy the Sigma rule Detect Windows Defender PUA Protection Disabled via Registry to your SIEM to detect this specific registry modification.
• Investigate any alerts generated by the Sigma rule and review the associated process and user activity to determine if the modification was legitimate.
• Use Endpoint Detection and Response (EDR) solutions to monitor for and block the execution of potentially unwanted applications.