{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/antivirus/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","registry-modification","antivirus"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers commonly disable Windows Defender to evade detection and maintain persistence on compromised systems. This involves modifying specific registry keys associated with Windows Defender policies. The activity is significant because disabling antivirus protections allows attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network. This technique has been observed in campaigns involving malware families such as IcedID, Black Basta ransomware, and Cactus ransomware. Detection of this behavior is crucial for identifying and mitigating potential threats early in the attack chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through various methods, such as phishing or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains administrative privileges on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe registry key \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\u003c/code\u003e is targeted.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDisableAntiSpyware\u003c/code\u003e value is set to \u003ccode\u003e0x00000001\u003c/code\u003e to disable antispyware.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDisableAntiVirus\u003c/code\u003e value is set to \u003ccode\u003e0x00000001\u003c/code\u003e to disable antivirus.\u003c/li\u003e\n\u003cli\u003eWindows Defender is effectively disabled, allowing malware execution without detection.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further malicious activities, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Defender can lead to complete system compromise. Attackers can install malware, exfiltrate sensitive data, or deploy ransomware without interference. This can result in significant financial losses, reputational damage, and operational disruption. Observed instances of this technique have been linked to IcedID infections leading to XingLocker ransomware deployment, as well as other ransomware families like Black Basta and Cactus.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 logging to capture registry modification events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to detect the specific registry modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the involved processes and users.\u003c/li\u003e\n\u003cli\u003eReview and harden Windows Defender Group Policy settings to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eReference the Sigma rule tags to understand which analytic stories are related to this activity (e.g. IcedID, Black Basta, Cactus).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-defender-registry/","summary":"Attackers modify Windows Defender registry settings to disable antivirus and antispyware protections, evading detection and maintaining persistence.","title":"Windows Defender Antivirus Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-defender-registry/"}],"language":"en","title":"CraftedSignal Threat Feed — Antivirus","version":"https://jsonfeed.org/version/1.1"}