{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/threat/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Defender"],"_cs_severities":["high"],"_cs_tags":["windows","registry","defender","defense-evasion","threat"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may attempt to disable or delay security scans by modifying the health check interval of Windows Defender. This is achieved by altering the \u003ccode\u003eServiceKeepAlive\u003c/code\u003e registry value. The modifications can prevent the timely detection of malware or other malicious activities, thereby increasing the risk to the system. The observed registry key path is \u003ccode\u003e*\\\\Windows Defender\\\\ServiceKeepAlive\u003c/code\u003e with the specific registry value data being \u003ccode\u003e0x00000001\u003c/code\u003e. This technique has been observed in the wild, as reported on X (formerly Twitter), and is also a focus of privacy-enhancing tools like privacy.sexy. This highlights the importance of monitoring registry modifications related to Windows Defender\u0026rsquo;s configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a process with elevated privileges (e.g., using \u003ccode\u003esudo\u003c/code\u003e or exploiting a privilege escalation vulnerability).\u003c/li\u003e\n\u003cli\u003eThe process modifies the Windows Registry, specifically targeting the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\ServiceKeepAlive\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eregistry_value_data\u003c/code\u003e is set to \u003ccode\u003e0x00000001\u003c/code\u003e, which may disable or delay health checks.\u003c/li\u003e\n\u003cli\u003eWindows Defender health checks are impaired, reducing the frequency or effectiveness of scans.\u003c/li\u003e\n\u003cli\u003eMalware or malicious activity remains undetected due to the reduced scan frequency.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence and further compromises the system, potentially leading to data theft or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Windows Defender health check intervals can lead to a significant decrease in the system\u0026rsquo;s ability to detect and respond to threats. This can result in undetected malware infections, data breaches, and system compromise. While the number of direct victims is unknown, the widespread use of Windows Defender makes this a potentially impactful technique across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification of Windows Defender Health Check Interval\u003c/code\u003e to your SIEM to detect malicious registry changes.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eSysmon EventID 13\u003c/code\u003e events for registry modifications related to Windows Defender\u0026rsquo;s \u003ccode\u003eServiceKeepAlive\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, paying close attention to the \u003ccode\u003edest\u003c/code\u003e and \u003ccode\u003eprocess_guid\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eUse the provided references to understand the context of this technique in real-world attacks.\u003c/li\u003e\n\u003cli\u003eTune the provided filter macro \u003ccode\u003ewindows_impair_defense_change_win_defender_health_check_intervals_filter\u003c/code\u003e to minimize false positives in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-windows-defender-health-check-modification/","summary":"This analytic detects modifications to the Windows registry, specifically targeting the `ServiceKeepAlive` value, to impair Windows Defender's ability to perform timely health checks, potentially leading to a vulnerable system state.","title":"Windows Defender Health Check Interval Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-windows-defender-health-check-modification/"}],"language":"en","title":"CraftedSignal Threat Feed — Threat","version":"https://jsonfeed.org/version/1.1"}