Windows Defender Disabled via Registry Modification

Attackers commonly disable Windows Defender to evade detection and facilitate malicious activities. This involves modifying specific registry settings to either disable the service entirely or prevent it from starting automatically. The rule specifically identifies modifications to the DisableAntiSpyware and WinDefend\\Start registry keys. The DFIR Report has documented this technique in real-world incidents, highlighting its effectiveness in bypassing built-in security measures. This allows threat actors to operate with reduced risk of detection, enabling them to deploy malware, exfiltrate data, or perform other malicious actions without immediate interference from the endpoint security solution.

Attack Chain

1. An attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.
2. The attacker elevates privileges to obtain the necessary permissions to modify the registry.
3. The attacker modifies the HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware registry key to disable Windows Defender, setting its value to “1” or “0x00000001”.
4. Alternatively, the attacker modifies the HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start registry key to prevent the Windows Defender service from starting automatically. The attacker sets the value to “3” or “4” (or their hexadecimal equivalents “0x00000003”, “0x00000004”).
5. The attacker verifies that Windows Defender is disabled by checking the Security Center or attempting to run a scan.
6. With Windows Defender disabled, the attacker proceeds to deploy malware or execute malicious commands without interference from the antivirus software.
7. The attacker may further disable security settings and block security-related indicators.

Impact

If successful, this attack can lead to a complete compromise of the affected system. With Windows Defender disabled, the system becomes vulnerable to malware infections, data exfiltration, and other malicious activities. This can result in financial losses, data breaches, and reputational damage for the targeted organization. The lack of immediate detection allows attackers to establish persistence and expand their foothold within the network.

Recommendation

• Deploy the Sigma rule “Registry Modification to Disable Windows Defender” to your SIEM and tune for your environment to detect unauthorized changes to Windows Defender registry settings.
• Monitor registry events for changes to the HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware and HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start registry keys using the provided log sources.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the process and user account responsible for the registry modifications.
• Enable Sysmon registry event logging to capture the necessary data for the Sigma rule to function effectively.