Briefs

An attacker modifies the Windows Registry to disable the Windows Defender BlockAtFirstSeen feature, potentially allowing malware to bypass initial detection and increasing the risk of system compromise.

An attacker modifies the Windows Registry key 'DisableAntiSpyware' to disable Windows Defender, a technique commonly associated with Ryuk ransomware to evade defenses.

An attacker modifies the Windows Registry to disable Windows Defender's Enhanced Notification feature, preventing users from receiving security alerts and potentially allowing malicious activities to go unnoticed, ultimately enabling persistence and evasion.

Adversaries use Add-MpPreference or Set-MpPreference commands to add exclusions in Windows Defender, allowing malicious code to execute undetected, and this activity can be detected via Endpoint Detection and Response (EDR) agents.

Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.

Adversaries may attempt to bypass Windows Defender's capabilities by using PowerShell to add exclusions for folders or processes, and this activity can be detected by monitoring PowerShell command lines that use `Add-MpPreference` or `Set-MpPreference` with exclusion parameters.

Attackers may disable Windows Defender's ability to compute file hashes by modifying the EnableFileHashComputation registry value, impairing its malware detection capabilities.

Attackers modify the Windows registry to disable Windows Defender's infection reporting, preventing detailed threat information from reaching Microsoft and potentially allowing malware to evade detection.

Attackers may disable Windows Defender logging by modifying specific registry keys to evade detection and conceal malicious activities.

An attacker modifies the Windows Defender MpEngine registry value to disable key features, potentially allowing malware to evade detection.

This analytic detects modifications to the Windows registry to disable Windows Defender Network Protection, potentially leaving the system vulnerable to network-based threats.

The analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter, potentially allowing attackers to deceive users into visiting malicious websites without browser warnings.

Detection of Windows Defender profile registry key deletion, indicating potential defense evasion by malware or threat actors aiming to disable security controls.

An attacker modifies the Windows Registry to disable Windows Defender protocol recognition, hindering its ability to detect and respond to malware, potentially leading to successful data exfiltration or system compromise.

The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature, preventing timely malware definition updates and potentially leading to system compromise.

Attackers modify the Windows registry to disable Windows Defender generic reports, preventing error reports and potentially hiding malicious activity.

An attacker modifies the Windows registry to disable the Windows Defender Scan On Update feature, potentially evading detection and establishing persistence.

An attacker disables Windows Defender's signature retirement feature by modifying a registry key, potentially reducing its effectiveness in detecting threats by allowing older, less relevant signatures to persist.

Attackers modify the Windows Registry to disable Windows Defender SmartScreen App Install Control, potentially allowing the installation of malicious web-based applications without restrictions, leading to system compromise and sensitive information exposure.

Attackers modify the Windows registry to disable SmartScreen prompt overrides, potentially allowing users to bypass security warnings and execute harmful content, leading to system compromise.

An attacker modifies the Windows Defender ThreatSeverityDefaultAction registry setting to weaken defenses, potentially leading to unaddressed threats and system compromise.

An attacker modifies the Windows Defender ThrottleDetectionEventsRate registry setting to reduce the frequency of logged detection events, potentially evading detection.

The following analytic detects modifications to the Windows registry specifically targeting the 'WppTracingLevel' setting within Windows Defender, potentially impairing its diagnostic capabilities and allowing attackers to evade detection.

An attacker modifies the Windows registry to disable Windows Defender web content evaluation, potentially allowing malicious web content to bypass security checks and compromise the system.

Detection of the Windows Event Log service shutdown, indicated by Event ID 1100, which can signify attempts to evade detection by disabling logging.

An attacker modifies the Windows EventLog ChannelAccess registry value to evade defenses by blocking security products from accessing event logs.

This analytic detects suspicious modifications to the EventLog security descriptor registry value, specifically the 'CustomSD' value, within the registry path 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD', which can be used for defense evasion by attackers.

Detection of icacls.exe, cacls.exe, or xcacls.exe being used to modify file or directory permissions, often used by APTs and coinminers for defense evasion and persistence.

Attackers modify the Windows Filtering Platform (WFP) policy to block the communication of endpoint detection and response (EDR) processes, impairing their functionality and hindering detection of malicious activities.

Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.