Skip to content
Threat Feed
medium advisory

Microsoft Defender Tampering via Registry Modification

Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior by modifying specific registry keys and values.

Attackers frequently attempt to disable or modify Microsoft Defender settings to evade detection and maintain persistence within a compromised environment. This involves altering registry keys that control various Defender features, such as real-time monitoring, behavior monitoring, exploit protection, and tamper protection. By setting specific registry values to disable these features, attackers can significantly reduce the effectiveness of the built-in security measures, allowing them to execute malicious code and move laterally without being detected. This activity is commonly observed after initial access is gained, and before deploying more sophisticated payloads or establishing command and control. This type of behavior was observed in conjunction with IcedID and XingLocker ransomware, highlighting the importance of monitoring for these defense evasion attempts.

Attack Chain

  1. Initial Access: The attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.
  2. Privilege Escalation (if needed): The attacker escalates privileges to gain administrative access, enabling them to modify system settings.
  3. Registry Modification: The attacker modifies specific registry keys to disable Microsoft Defender features. This includes keys related to real-time protection (DisableRealtimeMonitoring), behavior monitoring (DisableBehaviorMonitoring), and exploit protection (DisallowExploitProtectionOverride).
  4. Disable Real-time Monitoring: The attacker sets the DisableRealtimeMonitoring registry value to 1 (or 0x00000001) under HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection.
  5. Disable Tamper Protection: The attacker sets the TamperProtection registry value to 0 (or 0x00000000) under HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features.
  6. Disable PUA Protection: The attacker sets the PUAProtection registry value to 0 (or 0x00000000) under HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender.
  7. Payload Deployment: With Defender disabled, the attacker deploys malicious payloads such as malware, ransomware, or credential theft tools.
  8. Lateral Movement: The attacker leverages the compromised system to move laterally within the network, targeting additional systems and data.

Impact

Successful tampering of Microsoft Defender can lead to widespread malware infections, data breaches, and ransomware deployment. With Defender disabled, systems become vulnerable to a wide range of threats. This can result in significant financial losses, reputational damage, and operational disruption. The absence of real-time protection allows attackers to execute malicious code without immediate detection, increasing the dwell time and potential impact of the attack. In cases where ransomware is deployed, the entire organization's data can be encrypted, leading to significant downtime and recovery costs.

Recommendation

  • Deploy the Sigma rule "Microsoft Windows Defender Tampering" to your SIEM to detect malicious registry modifications (see "rules" section).
  • Enable Sysmon process creation and registry event logging to provide necessary data for the Sigma rules to function.
  • Investigate any alerts generated by the Sigma rule by examining the process execution chain and validating the activity is not related to legitimate system administration tasks.
  • Review and enforce the principle of least privilege to limit the ability of users to modify critical system settings.

Detection coverage 3

Microsoft Defender DisableAntiSpyware Registry Modification

high

Detects modification of the DisableAntiSpyware registry value, which disables Microsoft Defender.

sigma tactics: defense_evasion techniques: T1562.001 sources: registry_set, windows

Microsoft Defender TamperProtection Registry Modification

high

Detects modification of the TamperProtection registry value, which disables tamper protection in Microsoft Defender.

sigma tactics: defense_evasion techniques: T1562.001 sources: registry_set, windows

Microsoft Defender RealtimeMonitoring Disabled

high

Detects modification of the DisableRealtimeMonitoring registry value, disabling real-time monitoring.

sigma tactics: defense_evasion techniques: T1562.001 sources: registry_set, windows

Detection queries are available on the platform. Get full rules →