Windows Defender MpEngine Disabled via Registry Modification

Attackers, particularly those associated with IcedID campaigns, may attempt to disable Windows Defender to evade detection. This involves modifying the MpEnablePus registry value within the Windows Defender MpEngine settings, specifically setting it to 0x00000000. This action effectively disables key features of Windows Defender, creating a window of opportunity for malware to execute undetected. The observed registry modification is a strong indicator of malicious intent, allowing attackers to gain a foothold and further compromise the system. The DFIR Report has documented instances of this technique being used in conjunction with IcedID leading to XingLocker ransomware deployment.

Attack Chain

1. Initial access is gained through an unknown method (e.g., phishing, exploit).
2. The attacker obtains elevated privileges on the compromised system.
3. The attacker modifies the registry value MpEnablePus to 0x00000000 under the path HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine.
4. This registry change disables key Windows Defender features, weakening the endpoint’s defenses.
5. The attacker deploys malware, such as IcedID, which can now operate with reduced interference from the disabled security product.
6. The malware establishes persistence through various mechanisms (e.g., scheduled tasks, registry run keys).
7. The attacker performs reconnaissance to identify valuable data and systems within the network.
8. The attacker moves laterally to other systems, potentially deploying ransomware such as XingLocker.

Impact

Successful disabling of Windows Defender can lead to widespread malware infection and data compromise. Organizations may experience data breaches, financial losses, and reputational damage. The IcedID malware has been linked to XingLocker ransomware deployment, demonstrating the potential for significant impact following a successful attack. Disabling Windows Defender increases the dwell time of attackers and the likelihood of successful lateral movement and data exfiltration.

Recommendation

• Enable Sysmon EventID 13 to capture registry modifications on endpoints.
• Deploy the Sigma rule “Detect Defender MpEngine Disabled via Registry Modification” to identify suspicious registry changes related to Windows Defender.
• Investigate any alerts generated by the Sigma rule, prioritizing systems where other suspicious activities have been observed.
• Ensure Sysmon TA version 2.0 or higher is installed for accurate registry monitoring.
• Review and harden Windows Defender configuration policies to prevent unauthorized modifications of critical settings.