Windows Defender Logging Disabled via Registry Modification

This threat brief focuses on the detection of attackers disabling Windows Defender logging through modifications to specific registry keys. This technique is commonly used by Remote Access Trojans (RATs) and other malware to evade detection and hide malicious activities on compromised systems. The activity involves changing the values of DefenderApiLogger or DefenderAuditLogger registry keys to disable logging. These registry keys are located under the WMI\\Autologger path. This technique is significant because it allows attackers to operate without generating audit trails, making it more difficult for defenders to detect and respond to intrusions. Successful disabling of Windows Defender logging can lead to prolonged persistence and further compromise of the affected endpoint.

Attack Chain

1. Initial access is achieved through an unspecified method (e.g., phishing, exploit).
2. The attacker gains elevated privileges on the target system.
3. The attacker uses a tool such as reg.exe or PowerShell to modify the registry.
4. The attacker targets the specific registry keys related to Windows Defender logging: HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WMI\\Autologger\\DefenderApiLogger\\Start or HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WMI\\Autologger\\DefenderAuditLogger\\Start.
5. The attacker changes the value of the Start key to 0x00000000 to disable the respective logging function.
6. Windows Defender logging is effectively disabled, preventing the recording of events related to Defender’s activities.
7. The attacker performs malicious activities without being logged by Windows Defender, such as lateral movement, data exfiltration, or malware deployment.
8. The attacker maintains persistence on the compromised system, leveraging the disabled logging to avoid detection.

Impact

Disabling Windows Defender logging allows attackers to operate undetected on compromised systems. This can lead to prolonged persistence, further compromise of the environment, and increased difficulty in incident response. Attackers can leverage this to perform data theft, deploy ransomware, or establish a foothold for future attacks. The impact is significant as it undermines the effectiveness of a key security control.

Recommendation

• Enable Sysmon Event ID 13 to monitor registry modifications as indicated by the data_source field and the tests section of this brief.
• Deploy the Sigma rule Detect Windows Defender Logging Disabled via Registry to your SIEM and tune for your environment.
• Investigate any alerts generated by this rule, focusing on the processes and users involved in the registry modifications.
• Use endpoint detection and response (EDR) tools to monitor for suspicious registry modifications and other defense evasion techniques.