{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/blockatfirstseen/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["registry_modification","defender","blockatfirstseen"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the disabling of the Windows Defender BlockAtFirstSeen feature through registry modification. The BlockAtFirstSeen feature provides initial protection against new and unknown threats. Attackers may disable this feature to bypass these initial detection mechanisms, increasing the likelihood of successful malware execution and subsequent system compromise. The analytic detects modifications to the \u003ccode\u003eDisableBlockAtFirstSeen\u003c/code\u003e registry value under the \u003ccode\u003eMicrosoft\\Windows Defender\\SpyNet\u003c/code\u003e path. The activity is significant because it weakens the endpoint\u0026rsquo;s security posture, creating an opportunity for malware to execute undetected. Observed in attacks such as IcedID, this technique can lead to ransomware deployment and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through methods such as phishing or exploitation of vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the registry key associated with Windows Defender SpyNet: \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\SpyNet\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eDisableBlockAtFirstSeen\u003c/code\u003e value within the SpyNet registry key.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDisableBlockAtFirstSeen\u003c/code\u003e value is set to \u003ccode\u003e0x00000001\u003c/code\u003e to disable the feature.\u003c/li\u003e\n\u003cli\u003eWindows Defender no longer blocks the execution of files based on reputation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious payloads that would normally be blocked.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying ransomware, exfiltrating data, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the BlockAtFirstSeen feature significantly reduces the effectiveness of Windows Defender, potentially exposing systems to new and unknown malware threats. Successful exploitation can lead to malware infection, system compromise, data breaches, and ransomware deployment. The DFIR Report has observed this technique being used in conjunction with IcedID leading to Xinglocker ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification to Disable BlockAtFirstSeen\u003c/code\u003e to your SIEM to detect this specific registry modification.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 (Registry Event) logging to collect the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eDisableBlockAtFirstSeen\u003c/code\u003e registry value modification, prioritizing those occurring on critical systems.\u003c/li\u003e\n\u003cli\u003eEnforce strict access control policies to prevent unauthorized modification of registry settings.\u003c/li\u003e\n\u003cli\u003eMonitor systems for signs of malware infection following any detected attempts to disable the BlockAtFirstSeen feature.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-defender-blockatfirstseen/","summary":"An attacker modifies the Windows Registry to disable the Windows Defender BlockAtFirstSeen feature, potentially allowing malware to bypass initial detection and increasing the risk of system compromise.","title":"Windows Defender BlockAtFirstSeen Feature Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-defender-blockatfirstseen/"}],"language":"en","title":"CraftedSignal Threat Feed — Blockatfirstseen","version":"https://jsonfeed.org/version/1.1"}