Windows Defender

Attackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.

Attackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.

Detection of suspicious Windows processes using DNS queries to determine the external IP address, potentially indicating reconnaissance or preparation for command and control activity.

This brief covers the detection of adversaries disabling Windows Defender services by modifying specific registry keys to set the 'Start' value to '0x00000004', indicating an attempt to evade detection and maintain persistence.

Attackers disable Windows Defender SpyNet reporting by modifying specific registry keys, preventing telemetry data from being sent and allowing malicious activities to go undetected.

An attacker attempts to disable Windows Defender by deleting its context menu entry from the registry, a tactic often used by Remote Access Trojans (RATs) to impair defenses and facilitate further malicious activities.

Attackers modify Windows Registry keys associated with Windows Defender to disable real-time behavior monitoring, a common tactic used by malware to evade detection and persist on compromised systems.

An attacker modifies the Windows registry to disable Windows Defender Controlled Folder Access, a defense evasion technique that weakens protections against unauthorized access and ransomware.

A PowerShell command attempting to remove the Windows Defender directory is detected via PowerShell Script Block Logging, potentially indicating an attacker's attempt to disable endpoint protection for further malicious activities.

The analytic detects the use of `dism.exe` to remove Windows Defender, potentially allowing adversaries to evade detection and carry out further malicious actions.

This rule detects potential RemoteMonologue attacks by identifying attempts to perform session hijacking via COM object registry modification, specifically when the RunAs value is set to Interactive User.

An attacker modifies the Windows registry to disable Windows Defender web content evaluation, potentially allowing malicious web content to bypass security checks and compromise the system.

The following analytic detects modifications to the Windows registry specifically targeting the 'WppTracingLevel' setting within Windows Defender, potentially impairing its diagnostic capabilities and allowing attackers to evade detection.

An attacker modifies the Windows Defender ThreatSeverityDefaultAction registry setting to weaken defenses, potentially leading to unaddressed threats and system compromise.

An attacker disables Windows Defender's signature retirement feature by modifying a registry key, potentially reducing its effectiveness in detecting threats by allowing older, less relevant signatures to persist.

An attacker modifies the Windows registry to disable the Windows Defender Scan On Update feature, potentially evading detection and establishing persistence.

Attackers modify the Windows registry to disable Windows Defender generic reports, preventing error reports and potentially hiding malicious activity.

The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature, preventing timely malware definition updates and potentially leading to system compromise.

An attacker modifies the Windows Registry to disable Windows Defender protocol recognition, hindering its ability to detect and respond to malware, potentially leading to successful data exfiltration or system compromise.

Detection of Windows Defender profile registry key deletion, indicating potential defense evasion by malware or threat actors aiming to disable security controls.

This analytic detects modifications to the Windows registry to disable Windows Defender Network Protection, potentially leaving the system vulnerable to network-based threats.

An attacker modifies the Windows Defender MpEngine registry value to disable key features, potentially allowing malware to evade detection.

Attackers may disable Windows Defender logging by modifying specific registry keys to evade detection and conceal malicious activities.

Attackers modify the Windows registry to disable Windows Defender's infection reporting, preventing detailed threat information from reaching Microsoft and potentially allowing malware to evade detection.

Attackers may disable Windows Defender's ability to compute file hashes by modifying the EnableFileHashComputation registry value, impairing its malware detection capabilities.

Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.

Adversaries use Add-MpPreference or Set-MpPreference commands to add exclusions in Windows Defender, allowing malicious code to execute undetected, and this activity can be detected via Endpoint Detection and Response (EDR) agents.

An attacker modifies the Windows Registry to disable Windows Defender's Enhanced Notification feature, preventing users from receiving security alerts and potentially allowing malicious activities to go unnoticed, ultimately enabling persistence and evasion.

An attacker modifies the Windows Registry key 'DisableAntiSpyware' to disable Windows Defender, a technique commonly associated with Ryuk ransomware to evade defenses.

An attacker modifies the Windows Registry to disable the Windows Defender BlockAtFirstSeen feature, potentially allowing malware to bypass initial detection and increasing the risk of system compromise.

Adversaries tamper with Windows Defender's Attack Surface Reduction (ASR) rules or threat default actions using Add-MpPreference or Set-MpPreference commands, aiming to bypass the security tool for undetected malicious code execution.

Attackers modify the Windows Registry to disable auditing for Windows Defender Application Guard, hindering security monitoring and enabling malicious activity to go unnoticed.

Attackers modify Windows Defender registry settings to disable antivirus and antispyware protections, evading detection and maintaining persistence.

Detects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.

This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.

Attackers are using PowerShell commands with specific Set-MpPreference parameters to disable Windows Defender's real-time behavior monitoring, a common tactic for malware to evade detection and persist on compromised systems.

An attacker modifies the Windows registry to disable the Windows Defender Submit Samples Consent feature, preventing the submission of suspicious files for analysis, and potentially evading detection.

This analytic detects modifications to the Windows registry, specifically targeting the `ServiceKeepAlive` value, to impair Windows Defender's ability to perform timely health checks, potentially leading to a vulnerable system state.

Attackers are abusing the Windows Defender MpCmdRun.exe utility to download remote files, potentially delivering malware or offensive tools into compromised systems.

Detection of modifications to the Windows registry that change the Windows Defender Quick Scan Interval, potentially impairing its ability to detect malware promptly.

An attacker modifies the Windows Registry to disable Windows Defender Potentially Unwanted Application (PUA) protection, increasing the risk of malware installation and system compromise.

Detection of PowerShell commands, specifically `Add-MpPreference` or `Set-MpPreference`, used to create Windows Defender exclusions, enabling attackers to bypass antivirus defenses and execute malicious code undetected.

Attackers use PowerShell commands like Set-MpPreference or Add-MpPreference, often with base64 encoding, to disable or weaken Windows Defender security settings in order to evade detection and execute malicious payloads.