Microsoft Defender 'Block at First Seen' Feature Disabled
An attacker disables the Microsoft Defender 'Block at First Seen' feature to allow potentially malicious files to execute without initial scrutiny, increasing the risk of malware infection and data compromise.
Attackers may attempt to disable the Microsoft Defender 'Block at First Seen' feature to bypass initial security checks and execute potentially malicious files. This feature is designed to send unknown files to Microsoft's cloud for analysis, blocking execution until a determination is made. Disabling this feature reduces the security posture of the system and allows malware to run without immediate scrutiny. While the specific method of disabling the feature isn't provided in the source, it's crucial to monitor for suspicious registry modifications or PowerShell commands that could achieve this. This brief focuses on detection strategies for identifying such attempts.
Attack Chain
- Initial Access: The attacker gains initial access to the system through an existing vulnerability, compromised credentials, or social engineering.
- Privilege Escalation: If necessary, the attacker escalates privileges to gain administrative access to modify Defender settings.
- Disable 'Block at First Seen': The attacker uses PowerShell or registry modifications to disable the 'Block at First Seen' feature. This may involve modifying the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpCloudBlockLevelregistry key. - Malware Execution: With the feature disabled, the attacker executes a malicious file (e.g., a trojan or ransomware payload).
- Persistence: The malware establishes persistence through registry keys, scheduled tasks, or other mechanisms to ensure it remains active after system restarts.
- Lateral Movement: The attacker attempts to move laterally to other systems on the network, exploiting trust relationships or using stolen credentials.
- Data Exfiltration / Encryption: The attacker exfiltrates sensitive data or encrypts files for ransom, depending on the attacker's objectives.
Impact
Disabling 'Block at First Seen' significantly increases the risk of malware infection. If successful, attackers can execute malicious code without immediate detection, potentially leading to data theft, system compromise, or ransomware attacks. The impact can range from individual machine infections to widespread network compromise, depending on the attacker's goals and capabilities.
Recommendation
- Monitor for registry modifications related to disabling Defender's cloud-delivered protection using the "Detect Suspicious Defender Registry Modification" Sigma rule.
- Detect suspicious PowerShell commands attempting to disable real-time monitoring or cloud-delivered protection using the "Detect Suspicious PowerShell Defender Configuration" Sigma rule.
- Investigate any unexpected changes to Microsoft Defender's configuration.
Detection coverage 2
Detect Suspicious Defender Registry Modification
highDetects attempts to modify the Windows Defender registry keys to disable or weaken security features.
Detect Suspicious PowerShell Defender Configuration
mediumDetects PowerShell commands used to disable or modify Windows Defender settings.
Detection queries are available on the platform. Get full rules →