Windows Defender Disabled via Registry Modification

This threat brief addresses the disabling of Windows Defender by modifying the DisableAntiSpyware registry key. This is a common tactic used by ransomware actors, including Ryuk, to disable endpoint protection and facilitate malicious activities. The modification involves setting the registry value DisableAntiSpyware to 0x00000001. This activity is significant because it directly impairs a critical security control, potentially allowing attackers to deploy ransomware, exfiltrate data, or further compromise the system without interference from the endpoint antivirus. The registry modification is typically performed post-exploitation, after an attacker has already gained initial access and established a foothold. Defenders must monitor registry modifications to detect and prevent this form of defense evasion.

Attack Chain

1. Initial access is gained through an exploit or compromised credentials.
2. The attacker executes code on the target system, potentially via PowerShell or cmd.exe.
3. The attacker identifies the DisableAntiSpyware registry key location.
4. The attacker uses reg.exe or PowerShell’s Set-ItemProperty to modify the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware.
5. The DisableAntiSpyware value is set to 0x00000001, disabling Windows Defender.
6. The attacker verifies that Windows Defender is disabled by checking its status.
7. The attacker proceeds with lateral movement, privilege escalation, or data exfiltration without AV interference.
8. Finally, the attacker deploys ransomware, encrypting files and demanding ransom payment.

Impact

Successful disabling of Windows Defender allows attackers to operate unimpeded on the compromised system. This can lead to the complete encryption of critical files, resulting in significant data loss and operational disruption. Organizations affected by Ryuk ransomware have experienced substantial financial losses, reputational damage, and extensive recovery efforts. Disabling antivirus solutions is a common step in ransomware deployment, increasing the likelihood of a successful attack and maximizing the damage caused.

Recommendation

• Deploy the Sigma rule Detect Windows Defender DisableAntiSpyware Registry Modification to your SIEM to identify registry modifications indicative of this attack.
• Enable Sysmon Event ID 13 logging to capture registry modification events on endpoints.
• Investigate any alerts generated by the Sigma rule Detect Suspicious Process Modifying Windows Defender Registry to determine the legitimacy of the registry change.
• Implement strict access control policies to prevent unauthorized registry modifications.
• Monitor endpoints for unusual process behavior after the registry key is modified.