{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/defender_evasion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Defender"],"_cs_severities":["high"],"_cs_tags":["windows","registry_modification","defender_evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Defender\u0026rsquo;s telemetry reporting to evade detection. Disabling SpyNet reporting is achieved by modifying specific registry keys associated with Windows Defender settings. This activity, if successful, prevents Windows Defender from sending telemetry data to Microsoft, hindering the detection of malicious activities and enabling attackers to operate undetected. This behavior has been observed in conjunction with malware such as IcedID and Qakbot, often as a precursor to ransomware deployment. This technique is significant because it undermines the effectiveness of endpoint detection and response (EDR) solutions, allowing attackers to maintain persistence and carry out further attacks without raising alarms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an exploit or social engineering, delivering an initial payload.\u003c/li\u003e\n\u003cli\u003eThe initial payload executes, establishing a foothold on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to disable Windows Defender SpyNet reporting by modifying the registry.\u003c/li\u003e\n\u003cli\u003eThe registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\SpyNet\\SpynetReporting\u003c/code\u003e is set to \u003ccode\u003e0x00000000\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies that Windows Defender SpyNet reporting is successfully disabled.\u003c/li\u003e\n\u003cli\u003eWith SpyNet reporting disabled, the attacker deploys malware such as IcedID or Qakbot.\u003c/li\u003e\n\u003cli\u003eThe deployed malware performs lateral movement and privilege escalation within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker ultimately deploys ransomware, encrypting critical systems and demanding ransom payment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Defender SpyNet reporting can lead to a significant increase in dwell time and a higher likelihood of successful ransomware deployment. Organizations that fail to detect this activity may experience widespread encryption of systems, data exfiltration, and significant financial losses. The DFIR Report documented instances where IcedID led to XingLocker ransomware deployment within 24 hours after initial compromise, highlighting the speed and severity of such attacks. CISA has also warned about similar campaigns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon EventID 13 to monitor registry modifications as described in the search query.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification to Disable Windows Defender SpyNet Reporting\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, prioritizing systems where other suspicious activities have been observed.\u003c/li\u003e\n\u003cli\u003eReview and harden registry permissions to prevent unauthorized modifications to critical Windows Defender settings.\u003c/li\u003e\n\u003cli\u003eEnsure that the official Sysmon TA is at least version 2.0.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:00Z","date_published":"2024-01-03T18:22:00Z","id":"/briefs/2024-01-defender-spynet-disable/","summary":"Attackers disable Windows Defender SpyNet reporting by modifying specific registry keys, preventing telemetry data from being sent and allowing malicious activities to go undetected.","title":"Windows Defender SpyNet Reporting Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-spynet-disable/"}],"language":"en","title":"CraftedSignal Threat Feed — Defender_evasion","version":"https://jsonfeed.org/version/1.1"}