Detecting Disabling of Windows Defender Sample Submission

Attackers are increasingly targeting endpoint detection capabilities to evade security controls. One specific technique involves disabling Windows Defender’s ability to automatically submit samples to Microsoft for analysis. By modifying the SubmitSamplesConsent registry value to 0, attackers can prevent suspicious files from being sent for further scrutiny, effectively blinding Defender. This can lead to successful malware execution and system compromise, as seen in incidents involving malware such as IcedID and XingLocker ransomware. This activity has been observed starting in late 2021 and continues to be a relevant evasion tactic. Detecting this registry modification is crucial for maintaining endpoint security.

Attack Chain

1. The attacker gains initial access to the system (e.g., via phishing or exploit).
2. The attacker escalates privileges to gain administrative rights.
3. The attacker uses a tool like reg.exe or PowerShell to modify the registry.
4. The attacker targets the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet.
5. The attacker changes the SubmitSamplesConsent value to 0x00000000.
6. Windows Defender is now prevented from automatically submitting samples.
7. The attacker executes malware on the system without automatic sample submission.
8. The attacker achieves their objective, such as data theft or ransomware deployment.

Impact

Disabling Windows Defender’s sample submission feature allows attackers to execute malicious code undetected. This can lead to data breaches, system compromise, and ransomware infections. The DFIR Report has documented instances where disabling AV features was a critical step in successful ransomware attacks. Organizations that fail to detect this activity are at increased risk of significant financial and operational damage.

Recommendation

• Enable Sysmon EventID 13 to monitor registry modifications (data_source).
• Deploy the Sigma rule “Disable Defender Submit Samples Consent Feature” to detect the registry modification (rules).
• Investigate any endpoint where the SubmitSamplesConsent registry value is set to 0x00000000 in the specified registry path (search).
• Ensure Sysmon TA version 2.0 or later is installed for proper log ingestion (how_to_implement).