{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/trend-micro-security-agent/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Microsoft Defender","Elastic Defend","Elastic Endgame","Trend Micro Security Agent"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior within compromised Windows environments. This is often achieved by modifying specific registry keys that control the behavior and functionality of Defender components, such as real-time monitoring, exploit protection, and tamper protection itself. Such actions can significantly reduce the effectiveness of endpoint security, allowing malicious activities to proceed undetected. The references point to techniques that disable PUA protection, tamper protection, memory integrity, and real-time protection. This behavior is observed across various attack scenarios, including ransomware deployment and cryptocurrency mining campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unspecified vector (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains elevated privileges on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses an administrative tool like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker disables real-time monitoring by setting \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring\u003c/code\u003e to 1.\u003c/li\u003e\n\u003cli\u003eThe attacker disables tamper protection by setting \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features\\TamperProtection\u003c/code\u003e to 0.\u003c/li\u003e\n\u003cli\u003eThe attacker disables PUA Protection by setting \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection\u003c/code\u003e to 0.\u003c/li\u003e\n\u003cli\u003eWith Defender weakened, the attacker executes malicious payloads, such as ransomware or cryptocurrency miners.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with Microsoft Defender can lead to a significant degradation of endpoint security posture. This can result in undetected malware infections, data breaches, and system compromise. Disabling Defender features can allow attackers to establish persistence, escalate privileges, and deploy malicious payloads without triggering alerts. The impact can range from individual system compromise to widespread network infection, depending on the attacker\u0026rsquo;s objectives and the extent of the tampering.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Windows Defender Tampering - Disable Realtime Monitoring\u0026rdquo; to your SIEM to detect modifications to the \u003ccode\u003eDisableRealtimeMonitoring\u003c/code\u003e registry value.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Windows Defender Tampering - Disable Tamper Protection\u0026rdquo; to detect modifications to the \u003ccode\u003eTamperProtection\u003c/code\u003e registry value.\u003c/li\u003e\n\u003cli\u003eMonitor registry modification events, specifically targeting keys associated with Microsoft Defender settings as described in the rule query.\u003c/li\u003e\n\u003cli\u003eInvestigate any process modifying Windows Defender registry settings that are not explicitly authorized, referencing the process exclusions in the rule query.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-tampering/","summary":"Adversaries may disable or tamper with Microsoft Defender features via registry modifications to evade detection and conceal malicious behavior on Windows systems.","title":"Microsoft Defender Tampering via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Trend Micro Security Agent","version":"https://jsonfeed.org/version/1.1"}