Windows Defender Health Check Interval Modification

Attackers may attempt to disable or delay security scans by modifying the health check interval of Windows Defender. This is achieved by altering the ServiceKeepAlive registry value. The modifications can prevent the timely detection of malware or other malicious activities, thereby increasing the risk to the system. The observed registry key path is *\\Windows Defender\\ServiceKeepAlive with the specific registry value data being 0x00000001. This technique has been observed in the wild, as reported on X (formerly Twitter), and is also a focus of privacy-enhancing tools like privacy.sexy. This highlights the importance of monitoring registry modifications related to Windows Defender’s configuration.

Attack Chain

1. Attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker executes a process with elevated privileges (e.g., using sudo or exploiting a privilege escalation vulnerability).
3. The process modifies the Windows Registry, specifically targeting the HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceKeepAlive key.
4. The registry_value_data is set to 0x00000001, which may disable or delay health checks.
5. Windows Defender health checks are impaired, reducing the frequency or effectiveness of scans.
6. Malware or malicious activity remains undetected due to the reduced scan frequency.
7. The attacker maintains persistence and further compromises the system, potentially leading to data theft or ransomware deployment.

Impact

Successful modification of Windows Defender health check intervals can lead to a significant decrease in the system’s ability to detect and respond to threats. This can result in undetected malware infections, data breaches, and system compromise. While the number of direct victims is unknown, the widespread use of Windows Defender makes this a potentially impactful technique across various sectors.

Recommendation

• Deploy the Sigma rule Registry Modification of Windows Defender Health Check Interval to your SIEM to detect malicious registry changes.
• Monitor Sysmon EventID 13 events for registry modifications related to Windows Defender’s ServiceKeepAlive key.
• Investigate any alerts generated by the Sigma rule, paying close attention to the dest and process_guid fields.
• Use the provided references to understand the context of this technique in real-world attacks.
• Tune the provided filter macro windows_impair_defense_change_win_defender_health_check_intervals_filter to minimize false positives in your environment.