{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-edge/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Edge","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","registry-abuse"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying attempts to disable the Windows Defender phishing filter by modifying specific registry values. Attackers may attempt to disable this security feature to increase the likelihood of successful phishing attacks, where users are tricked into visiting malicious websites. The detection leverages Sysmon Event ID 13 to monitor changes to registry values associated with Microsoft Edge\u0026rsquo;s phishing filter settings. Disabling this filter allows malicious actors to deceive users into visiting harmful websites without triggering browser warnings. This can lead to potential security incidents, such as malware infections or credential theft, if users unknowingly access compromised sites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through social engineering or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains administrative privileges on the target system, if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or command-line tool (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the Windows Registry.\u003c/li\u003e\n\u003cli\u003eThe script or command modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\PhishingFilter\u003c/code\u003e or \u003ccode\u003eHKCU\\SOFTWARE\\Microsoft\\Edge\\PhishingFilter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe registry value \u0026ldquo;EnabledV9\u0026rdquo; or \u0026ldquo;PreventOverride\u0026rdquo; is set to \u0026ldquo;0x00000000\u0026rdquo; to disable the phishing filter.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies that the phishing filter is disabled in Microsoft Edge.\u003c/li\u003e\n\u003cli\u003eThe attacker launches a phishing campaign, directing users to malicious websites.\u003c/li\u003e\n\u003cli\u003eUsers, unaware of the disabled phishing filter, may visit the malicious websites, potentially leading to malware infection or data compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of the Windows Defender phishing filter can significantly increase the risk of successful phishing attacks. Users may unknowingly visit malicious websites, leading to malware infections, credential theft, or other data compromises. This can result in financial losses, reputational damage, and disruption of business operations. While the exact number of potential victims is unknown, the impact could be widespread if the attack is successful on multiple systems within an organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to collect registry modification events, as this is required for the detections in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Windows Defender Phishing Filter Override via Registry Modification\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of registry modifications to the \u003ccode\u003e*\\MicrosoftEdge\\PhishingFilter*\u003c/code\u003e path, especially when \u003ccode\u003eregistry_value_data\u003c/code\u003e is set to \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of phishing attacks and encourage them to be cautious when clicking on links or opening attachments from unknown sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-phishing-filter-override/","summary":"The analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter, potentially allowing attackers to deceive users into visiting malicious websites without browser warnings.","title":"Windows Defender Phishing Filter Override via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-phishing-filter-override/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Edge","version":"https://jsonfeed.org/version/1.1"}