{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/defender/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["windows","defender","registry","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief addresses the modification of the \u003ccode\u003eThrottleDetectionEventsRate\u003c/code\u003e registry setting within Windows Defender. Attackers may alter this setting to decrease the frequency of logged detection events, effectively reducing the visibility of their malicious activities. This technique can be employed to evade detection and prolong the duration of a compromise. Disabling or reducing the throttle rate can hinder incident response efforts and forensic investigations by limiting the amount of security-related data available to defenders. Defenders should be aware of unauthorized changes to this registry setting to maintain optimal security monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains access to the system via various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain administrative access, required to modify registry settings.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker attempts to disable or modify Windows Defender settings.\u003c/li\u003e\n\u003cli\u003eRegistry Modification: The attacker modifies the \u003ccode\u003eThrottleDetectionEventsRate\u003c/code\u003e registry value located at \u003ccode\u003e*\\\\Windows Defender\\\\NIS\\\\Consumers\\\\IPS\\\\ThrottleDetectionEventsRate\u003c/code\u003e. This is often done using command-line tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may establish persistence to maintain access even after system reboots. While not directly related to the throttle rate modification, it ensures continued access for further malicious actions.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker moves laterally to other systems within the network, potentially repeating the registry modification process on other endpoints.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Ransomware Deployment: With reduced visibility due to the modified throttle rate, the attacker exfiltrates sensitive data or deploys ransomware.\u003c/li\u003e\n\u003cli\u003eImpact: The attack succeeds due to the reduced visibility, leading to data loss, financial damage, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the \u003ccode\u003eThrottleDetectionEventsRate\u003c/code\u003e can lead to a significant reduction in the effectiveness of Windows Defender, allowing attackers to operate with reduced scrutiny. This can result in delayed detection of malicious activity, leading to increased dwell time and greater potential for damage. The number of affected systems depends on the scope of the attacker\u0026rsquo;s access and lateral movement capabilities. Targeted sectors could include any organization relying on Windows Defender as a primary endpoint security solution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect modifications to the \u003ccode\u003eThrottleDetectionEventsRate\u003c/code\u003e registry setting.\u003c/li\u003e\n\u003cli\u003eMonitor Sysmon Event ID 13 (registry events) for changes to Windows Defender registry keys.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing those affecting critical systems or users.\u003c/li\u003e\n\u003cli\u003eUse the filter macro (\u003ccode\u003ewindows_impair_defense_change_win_defender_throttle_rate_filter\u003c/code\u003e) to tune the provided search to reduce false positives in your specific environment.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Windows Defender configuration settings to ensure they align with security best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-defender-throttle-rate-mod/","summary":"An attacker modifies the Windows Defender ThrottleDetectionEventsRate registry setting to reduce the frequency of logged detection events, potentially evading detection.","title":"Windows Defender Throttle Rate Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-defender-throttle-rate-mod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["windows","endpoint","registry","defender","exclusion","defense-evasion","malware"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers frequently attempt to disable or bypass Windows Defender to execute malware undetected. This is often achieved by modifying the Windows Defender exclusion registry entries. By adding exclusions, attackers can prevent Windows Defender from scanning specific files, folders, or processes. This technique allows malware to operate freely, potentially leading to system compromise. The reported activity focuses on modifications to the registry path \u0026ldquo;\u003cem\u003e\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\\u003c/em\u003e\u0026rdquo;, which is a common target for threat actors. This technique can be observed across various malware families, including Remcos RAT, Qakbot, and XWorm, as well as in NetSupport RMM Tool Abuse scenarios, highlighting its versatility and effectiveness in defense evasion. Detecting and preventing these modifications is crucial for maintaining endpoint security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through various methods (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\\u003c/code\u003e or similar paths.\u003c/li\u003e\n\u003cli\u003eSpecifically, the attacker adds or modifies registry values within the \u003ccode\u003eExclusions\u003c/code\u003e key to exclude specific files, folders, or processes from Windows Defender scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful creation or modification of the exclusion by querying the registry.\u003c/li\u003e\n\u003cli\u003eMalicious code is then executed in the excluded location or process, bypassing Windows Defender\u0026rsquo;s real-time scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the exclusion remains active across reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further malicious activities, such as data exfiltration or lateral movement, undetected by Windows Defender.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Windows Defender exclusion registry entries allows attackers to bypass antivirus protection. This can lead to the execution of malicious code without detection, enabling persistence, data exfiltration, and other malicious activities. The impact can range from individual system compromise to broader network infections, depending on the attacker\u0026rsquo;s objectives. Several malware families, including Remcos RAT, Qakbot, and XWorm, use this technique, demonstrating its widespread use. A Microsoft blog post referenced destructive malware targeting Ukrainian organizations, suggesting potential for significant operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 (RegistryEvent) to capture registry modifications, which is the data source required for the detections.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Defender Exclusion Added\u003c/code\u003e to identify suspicious registry modifications related to Windows Defender exclusions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes modifying the Windows Defender exclusion registry keys.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Windows Defender exclusions to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eEnsure the Sysmon TA is at least version 2.0 as mentioned in the content to properly ingest the logs from endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-exclusion-registry-modification/","summary":"Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.","title":"Windows Defender Exclusion Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-exclusion-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["registry_modification","defender","blockatfirstseen"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the disabling of the Windows Defender BlockAtFirstSeen feature through registry modification. The BlockAtFirstSeen feature provides initial protection against new and unknown threats. Attackers may disable this feature to bypass these initial detection mechanisms, increasing the likelihood of successful malware execution and subsequent system compromise. The analytic detects modifications to the \u003ccode\u003eDisableBlockAtFirstSeen\u003c/code\u003e registry value under the \u003ccode\u003eMicrosoft\\Windows Defender\\SpyNet\u003c/code\u003e path. The activity is significant because it weakens the endpoint\u0026rsquo;s security posture, creating an opportunity for malware to execute undetected. Observed in attacks such as IcedID, this technique can lead to ransomware deployment and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through methods such as phishing or exploitation of vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes code on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the registry key associated with Windows Defender SpyNet: \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\SpyNet\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eDisableBlockAtFirstSeen\u003c/code\u003e value within the SpyNet registry key.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDisableBlockAtFirstSeen\u003c/code\u003e value is set to \u003ccode\u003e0x00000001\u003c/code\u003e to disable the feature.\u003c/li\u003e\n\u003cli\u003eWindows Defender no longer blocks the execution of files based on reputation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious payloads that would normally be blocked.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as deploying ransomware, exfiltrating data, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling the BlockAtFirstSeen feature significantly reduces the effectiveness of Windows Defender, potentially exposing systems to new and unknown malware threats. Successful exploitation can lead to malware infection, system compromise, data breaches, and ransomware deployment. The DFIR Report has observed this technique being used in conjunction with IcedID leading to Xinglocker ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification to Disable BlockAtFirstSeen\u003c/code\u003e to your SIEM to detect this specific registry modification.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 (Registry Event) logging to collect the necessary data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eDisableBlockAtFirstSeen\u003c/code\u003e registry value modification, prioritizing those occurring on critical systems.\u003c/li\u003e\n\u003cli\u003eEnforce strict access control policies to prevent unauthorized modification of registry settings.\u003c/li\u003e\n\u003cli\u003eMonitor systems for signs of malware infection following any detected attempts to disable the BlockAtFirstSeen feature.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-defender-blockatfirstseen/","summary":"An attacker modifies the Windows Registry to disable the Windows Defender BlockAtFirstSeen feature, potentially allowing malware to bypass initial detection and increasing the risk of system compromise.","title":"Windows Defender BlockAtFirstSeen Feature Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-defender-blockatfirstseen/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Defender"],"_cs_severities":["high"],"_cs_tags":["windows","registry","defender","defense-evasion","threat"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may attempt to disable or delay security scans by modifying the health check interval of Windows Defender. This is achieved by altering the \u003ccode\u003eServiceKeepAlive\u003c/code\u003e registry value. The modifications can prevent the timely detection of malware or other malicious activities, thereby increasing the risk to the system. The observed registry key path is \u003ccode\u003e*\\\\Windows Defender\\\\ServiceKeepAlive\u003c/code\u003e with the specific registry value data being \u003ccode\u003e0x00000001\u003c/code\u003e. This technique has been observed in the wild, as reported on X (formerly Twitter), and is also a focus of privacy-enhancing tools like privacy.sexy. This highlights the importance of monitoring registry modifications related to Windows Defender\u0026rsquo;s configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a process with elevated privileges (e.g., using \u003ccode\u003esudo\u003c/code\u003e or exploiting a privilege escalation vulnerability).\u003c/li\u003e\n\u003cli\u003eThe process modifies the Windows Registry, specifically targeting the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\ServiceKeepAlive\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eregistry_value_data\u003c/code\u003e is set to \u003ccode\u003e0x00000001\u003c/code\u003e, which may disable or delay health checks.\u003c/li\u003e\n\u003cli\u003eWindows Defender health checks are impaired, reducing the frequency or effectiveness of scans.\u003c/li\u003e\n\u003cli\u003eMalware or malicious activity remains undetected due to the reduced scan frequency.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and further compromises the system, potentially leading to data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Windows Defender health check intervals can lead to a significant decrease in the system\u0026rsquo;s ability to detect and respond to threats. This can result in undetected malware infections, data breaches, and system compromise. While the number of direct victims is unknown, the widespread use of Windows Defender makes this a potentially impactful technique across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification of Windows Defender Health Check Interval\u003c/code\u003e to your SIEM to detect malicious registry changes.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eSysmon EventID 13\u003c/code\u003e events for registry modifications related to Windows Defender\u0026rsquo;s \u003ccode\u003eServiceKeepAlive\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the \u003ccode\u003edest\u003c/code\u003e and \u003ccode\u003eprocess_guid\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eUse the provided references to understand the context of this technique in real-world attacks.\u003c/li\u003e\n\u003cli\u003eTune the provided filter macro \u003ccode\u003ewindows_impair_defense_change_win_defender_health_check_intervals_filter\u003c/code\u003e to minimize false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-windows-defender-health-check-modification/","summary":"This analytic detects modifications to the Windows registry, specifically targeting the `ServiceKeepAlive` value, to impair Windows Defender's ability to perform timely health checks, potentially leading to a vulnerable system state.","title":"Windows Defender Health Check Interval Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-defender-health-check-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Defender","version":"https://jsonfeed.org/version/1.1"}