Windows Defender Disabled Via SystemSettingsAdminFlows.EXE
Threat actors are observed abusing the legitimate Windows utility `SystemSettingsAdminFlows.exe` to disable or modify Windows Defender settings, a defense impairment technique utilized in post-exploitation stages of campaigns, including ransomware.
Threat actors are observed abusing SystemSettingsAdminFlows.exe, a legitimate Windows component, to disable Windows Defender as a crucial step in their attack chains. This technique, identified in ransomware campaigns like LockBit, allows attackers to bypass endpoint detection and response (EDR) mechanisms, facilitating further malicious activities such as payload execution and data exfiltration. The abuse typically occurs post-compromise, leveraging the tool's administrative capabilities to impair security defenses. While SystemSettingsAdminFlows.exe is intended for legitimate administrative tasks, its misuse poses a significant threat, enabling attackers to persist and achieve their objectives with reduced interference from host-based security software.
Attack Chain
- Initial Access: Threat actors gain initial access to a target system, often through the exploitation of vulnerabilities (e.g., Apache ActiveMQ) or successful phishing campaigns, establishing a foothold.
- Execution & Staging: Following initial access, attackers execute initial payloads, often living-off-the-land binaries or scripts, to establish persistence, perform reconnaissance, and stage further tools.
- Privilege Escalation: Adversaries may escalate privileges to administrative levels necessary to modify system settings and security configurations, or compromise an account with sufficient privileges.
- Defense Impairment: The attacker leverages the
SystemSettingsAdminFlows.exeutility with specific command-line arguments (e.g.,defender RealTimeProtection 0) to disable or modify Windows Defender's real-time protection and other security features. - Malware Deployment: With defenses impaired, actors deploy primary malicious payloads, such as ransomware encryptors (e.g., LockBit) or data exfiltration tools, avoiding immediate detection.
- Impact & Objective Achievement: The deployed malware executes, leading to data encryption, system disruption, data exfiltration, and ultimately achieving the attacker's objectives, typically financial gain through ransom demands.
Impact
Successful exploitation of this technique significantly degrades a system's defensive posture, allowing threat actors to proceed with their attack objectives unhindered. This can lead to the successful deployment and execution of ransomware, resulting in widespread data encryption, system unavailability, and substantial financial losses from recovery efforts and ransom payments. Additionally, data exfiltration becomes more feasible, exposing sensitive information and incurring regulatory fines and reputational damage. The ability to disable core security tools like Windows Defender is a critical enabler for many advanced persistent threats and ransomware groups.
Recommendation
- Deploy the Sigma rule "Windows Defender Disabled Via SystemSettingsAdminFlows.EXE" to your SIEM and tune for your environment to detect suspicious use of the utility.
- Enable Sysmon process-creation logging to capture
ImageandCommandLinedetails forSystemSettingsAdminFlows.exeexecutions. - Review and restrict administrative privileges across your environment to limit an attacker's ability to execute defense impairment techniques.
- Implement application control solutions to prevent unauthorized execution of
SystemSettingsAdminFlows.exeor other LOLBINs by non-privileged accounts.
Detection coverage 1
Windows Defender Disabled Via SystemSettingsAdminFlows.EXE
highDetects the usage of SystemSettingsAdminFlows.exe to disable or enable Windows Defender settings via specific command-line arguments, a common defense impairment technique.
Detection queries are available on the platform. Get full rules →