Windows Defender Profile Registry Key Deletion

This analytic detects the deletion of the Windows Defender main profile registry key, a technique used by attackers to impair endpoint defenses. The deletion is monitored via Sysmon EventID 13, specifically looking for ‘deleted’ actions within the Windows Defender registry path. This activity is often associated with Remote Access Trojans (RATs) and other malware, as seen in campaigns like the “LazyScripter” RAT detailed by Malwarebytes in February 2021. Successful deletion of this key can disable Windows Defender, allowing attackers to operate with reduced visibility and resistance, enabling further malicious activities on the compromised system. The “LazyScripter” RAT, for example, uses similar techniques to disable security products.

Attack Chain

1. Initial access is gained through an unknown vector (e.g., phishing, exploit).
2. The attacker obtains elevated privileges on the system.
3. The attacker uses a process (e.g., cmd.exe, powershell.exe) to interact with the registry.
4. The process attempts to delete the Windows Defender profile registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender.
5. Sysmon Event ID 13 logs the registry key deletion event.
6. Windows Defender is disabled or its configuration is altered due to the registry change.
7. The attacker proceeds with deploying malware or performing malicious activities without interference from Windows Defender.
8. Data exfiltration or other objectives are achieved.

Impact

Successful deletion of the Windows Defender profile registry key can severely compromise endpoint security. By disabling or weakening Windows Defender, attackers can operate with reduced visibility, allowing them to deploy malware, steal sensitive data, or establish persistent access without detection. This can lead to data breaches, financial loss, and reputational damage. The scope can range from a single endpoint to an entire organization, depending on the attacker’s objectives and the extent of the compromise.

Recommendation

• Enable Sysmon Event ID 13 to monitor registry modifications and deletions, which is crucial for triggering the detections in this brief.
• Deploy the Sigma rules provided in this brief to your SIEM and tune them based on your environment to minimize false positives and ensure accurate detection.
• Investigate any alerts generated by these rules promptly to identify and contain potential defense evasion attempts.
• Review and harden registry permissions to prevent unauthorized modifications to critical security settings such as the Windows Defender profile.