Windows Defender Throttle Rate Modification

This brief addresses the modification of the ThrottleDetectionEventsRate registry setting within Windows Defender. Attackers may alter this setting to decrease the frequency of logged detection events, effectively reducing the visibility of their malicious activities. This technique can be employed to evade detection and prolong the duration of a compromise. Disabling or reducing the throttle rate can hinder incident response efforts and forensic investigations by limiting the amount of security-related data available to defenders. Defenders should be aware of unauthorized changes to this registry setting to maintain optimal security monitoring.

Attack Chain

1. Initial Access: The attacker gains access to the system via various means (e.g., compromised credentials, phishing).
2. Privilege Escalation: The attacker escalates privileges to gain administrative access, required to modify registry settings.
3. Defense Evasion: The attacker attempts to disable or modify Windows Defender settings.
4. Registry Modification: The attacker modifies the ThrottleDetectionEventsRate registry value located at *\\Windows Defender\\NIS\\Consumers\\IPS\\ThrottleDetectionEventsRate. This is often done using command-line tools like reg.exe or PowerShell.
5. Persistence: The attacker may establish persistence to maintain access even after system reboots. While not directly related to the throttle rate modification, it ensures continued access for further malicious actions.
6. Lateral Movement: The attacker moves laterally to other systems within the network, potentially repeating the registry modification process on other endpoints.
7. Data Exfiltration/Ransomware Deployment: With reduced visibility due to the modified throttle rate, the attacker exfiltrates sensitive data or deploys ransomware.
8. Impact: The attack succeeds due to the reduced visibility, leading to data loss, financial damage, or system compromise.

Impact

Successful modification of the ThrottleDetectionEventsRate can lead to a significant reduction in the effectiveness of Windows Defender, allowing attackers to operate with reduced scrutiny. This can result in delayed detection of malicious activity, leading to increased dwell time and greater potential for damage. The number of affected systems depends on the scope of the attacker’s access and lateral movement capabilities. Targeted sectors could include any organization relying on Windows Defender as a primary endpoint security solution.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect modifications to the ThrottleDetectionEventsRate registry setting.
• Monitor Sysmon Event ID 13 (registry events) for changes to Windows Defender registry keys.
• Investigate any alerts generated by the Sigma rule, prioritizing those affecting critical systems or users.
• Use the filter macro (windows_impair_defense_change_win_defender_throttle_rate_filter) to tune the provided search to reduce false positives in your specific environment.
• Regularly review and audit Windows Defender configuration settings to ensure they align with security best practices.