Windows Defender ASR or Threat Configuration Tampering

Attackers attempt to weaken or disable Windows Defender’s defenses to evade detection and execute malicious activities unimpeded. This involves manipulating Attack Surface Reduction (ASR) rules and threat configurations using PowerShell commands such as Add-MpPreference and Set-MpPreference. These commands are used to modify how Windows Defender handles threats, potentially allowing malware to run without being flagged. This behavior is observed in environments where adversaries seek to establish persistence, execute malicious code, and maintain a foothold by disabling or altering security settings within Windows Defender. The tampering may involve setting specific actions for ASR rules to “Allow” or “NoAction”, effectively bypassing the intended protections.

Attack Chain

1. Initial Access: The attacker gains initial access to the system through an unspecified method.
2. Privilege Escalation (if needed): The attacker escalates privileges to execute commands with administrative rights.
3. Discovery: The attacker identifies the presence and configuration of Windows Defender ASR rules.
4. Defense Evasion: The attacker executes PowerShell commands like Add-MpPreference or Set-MpPreference to disable or modify ASR rules. Specific parameters include -AttackSurfaceReductionRules_Actions and -ThreatIDDefaultAction_Actions.
5. Configuration Change: The attacker sets ASR rule actions to “Allow” or “NoAction” using values like “_Actions 6”, “_Actions 9”, or “_Actions 0”. They may also disable rules entirely using “Disabled”.
6. Persistence: With ASR rules weakened, the attacker establishes persistence through various methods, such as creating scheduled tasks or modifying registry keys.
7. Execution: The attacker executes malicious code that would have been blocked by Windows Defender before the ASR rules were modified.
8. Impact: The attacker achieves their objectives, such as data theft, system compromise, or deploying ransomware, without interference from Windows Defender.

Impact

Successful tampering with Windows Defender ASR or threat configurations enables attackers to bypass antivirus detection, maintain persistence, and execute malicious activities without interference. This can lead to widespread malware infections, data breaches, and significant damage to affected systems. If confirmed malicious, this behavior could severely compromise endpoint security, allowing attackers to operate undetected within the network, escalating the potential for significant data loss and system compromise.

Recommendation

• Deploy the Sigma rule Detect Windows Defender ASR Configuration Tampering to your SIEM to detect command-line executions indicative of ASR tampering and tune for your environment.
• Enable Sysmon process creation logging to capture the command-line arguments used with Add-MpPreference and Set-MpPreference for the detection rule.
• Investigate any alerts generated by the Sigma rule, focusing on processes modifying ASR rules or threat actions, to differentiate between legitimate administrative tasks and malicious activity.
• Review and harden Windows Defender configuration policies, ensuring ASR rules are properly configured and protected from unauthorized modification.
• Monitor Windows Event Log Security event ID 4688 for process creation events related to PowerShell and the specified commands.