{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/block-at-first-seen/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender"],"_cs_severities":["medium"],"_cs_tags":["defender","malware","block-at-first-seen","registry","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to disable the Microsoft Defender 'Block at First Seen' feature to bypass initial security checks and execute potentially malicious files. This feature is designed to send unknown files to Microsoft's cloud for analysis, blocking execution until a determination is made. Disabling this feature reduces the security posture of the system and allows malware to run without immediate scrutiny. While the specific method of disabling the feature isn't provided in the source, it's crucial to monitor for suspicious registry modifications or PowerShell commands that could achieve this. This brief focuses on detection strategies for identifying such attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through an existing vulnerability, compromised credentials, or social engineering.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e If necessary, the attacker escalates privileges to gain administrative access to modify Defender settings.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable 'Block at First Seen':\u003c/strong\u003e The attacker uses PowerShell or registry modifications to disable the 'Block at First Seen' feature. This may involve modifying the \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpCloudBlockLevel\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Execution:\u003c/strong\u003e With the feature disabled, the attacker executes a malicious file (e.g., a trojan or ransomware payload).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The malware establishes persistence through registry keys, scheduled tasks, or other mechanisms to ensure it remains active after system restarts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker attempts to move laterally to other systems on the network, exploiting trust relationships or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / Encryption:\u003c/strong\u003e The attacker exfiltrates sensitive data or encrypts files for ransom, depending on the attacker's objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling 'Block at First Seen' significantly increases the risk of malware infection. If successful, attackers can execute malicious code without immediate detection, potentially leading to data theft, system compromise, or ransomware attacks. The impact can range from individual machine infections to widespread network compromise, depending on the attacker's goals and capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for registry modifications related to disabling Defender's cloud-delivered protection using the \u0026quot;Detect Suspicious Defender Registry Modification\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eDetect suspicious PowerShell commands attempting to disable real-time monitoring or cloud-delivered protection using the \u0026quot;Detect Suspicious PowerShell Defender Configuration\u0026quot; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any unexpected changes to Microsoft Defender's configuration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-defender-block-disable/","summary":"An attacker disables the Microsoft Defender 'Block at First Seen' feature to allow potentially malicious files to execute without initial scrutiny, increasing the risk of malware infection and data compromise.","title":"Microsoft Defender 'Block at First Seen' Feature Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-defender-block-disable/"}],"language":"en","title":"CraftedSignal Threat Feed - Block-at-First-Seen","version":"https://jsonfeed.org/version/1.1"}