Windows Defender Infection Reporting Disabled via Registry Modification

This brief addresses a technique where attackers modify the Windows registry to disable Windows Defender’s infection reporting mechanism. The specific registry key targeted is “DontReportInfectionInformation” under the “Microsoft\MRT” path. By setting the value of this key to “0x00000001”, attackers can prevent Windows Defender from sending detailed threat information to Microsoft, hindering effective threat analysis and response. This activity, often performed post-compromise, is intended to evade detection and maintain persistence within the compromised environment. The privacy.sexy project, a known tool for modifying Windows settings, can be used to perform this action. Disabling this feature increases the attacker’s chances of successfully executing their objectives without being detected.

Attack Chain

1. Initial compromise of the system through unspecified means.
2. Attacker gains elevated privileges to modify the registry.
3. The attacker uses a tool or script to modify the DontReportInfectionInformation registry key.
4. The registry value data for HKLM\SOFTWARE\Microsoft\MRT\DontReportInfectionInformation is set to 0x00000001.
5. Windows Defender is no longer able to report detailed infection information to Microsoft.
6. Malware operates without triggering detailed reporting, evading detection.
7. The attacker establishes persistence on the system.
8. The attacker performs lateral movement or data exfiltration.

Impact

Disabling Windows Defender’s infection reporting prevents crucial threat data from reaching Microsoft, hindering global threat intelligence efforts. On individual systems, this can lead to prolonged malware infections, data breaches, and unauthorized access. Since Windows Defender is a default security control on Windows systems, disabling its reporting mechanisms can significantly degrade the overall security posture. If successful, attackers can maintain persistence, move laterally within the network, and exfiltrate sensitive data without triggering alerts based on standard threat reporting.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect modifications to the DontReportInfectionInformation registry key (see “Detect Windows Defender Infection Reporting Disabled”).
• Investigate any alerts generated by the Sigma rule to determine if the modification was legitimate or malicious.
• Implement strict access controls to limit registry modification privileges to authorized users and processes only.
• Monitor for processes accessing and modifying registry keys related to Windows Defender configuration (see “Detect Processes Modifying Windows Defender Settings”).
• Enable Sysmon Event ID 13 to collect registry modification events on endpoints.