Windows-Defender — CraftedSignal Threat Feed

Windows Defender Controlled Folder Access Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

This analytic detects a modification in the Windows registry that disables the Windows Defender Controlled Folder Access (CFA) feature. The detection leverages Sysmon Event ID 13 to monitor changes to the EnableControlledFolderAccess registry setting. Disabling CFA is a significant defense evasion technique because it weakens a key security feature designed to protect critical folders from unauthorized access, including ransomware attacks. This allows attackers to potentially bypass this security measure and access or modify sensitive files. This behavior has been linked to malware such as BlankGrabber Stealer and used to bypass endpoint protection.

Attack Chain

An attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
The attacker escalates privileges to gain administrative rights necessary to modify the registry.
The attacker uses a script or executable (e.g., PowerShell, reg.exe) to modify the registry.
The attacker targets the registry key *\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess.
The attacker sets the registry value to 0x00000000 to disable Controlled Folder Access.
The system no longer protects designated folders from unauthorized access by untrusted applications.
The attacker deploys ransomware or exfiltrates sensitive data from previously protected folders.

Impact

Successful disabling of Controlled Folder Access significantly weakens the endpoint’s defenses, leaving critical folders vulnerable to unauthorized access and modification. This can lead to successful ransomware deployment, data theft, and other malicious activities. Without CFA, common attack vectors are unhindered, increasing the likelihood of data breaches and system compromise.

Recommendation

Enable Sysmon Event ID 13 to monitor registry modifications, specifically changes to the EnableControlledFolderAccess key, to detect attempts to disable Controlled Folder Access.
Deploy the provided Sigma rules to your SIEM to detect registry modifications that disable Controlled Folder Access and tune for your environment.
Investigate any detected instances of EnableControlledFolderAccess being set to 0x00000000 to determine if the activity is malicious.
Review and enforce Group Policy settings to prevent users or processes from disabling Controlled Folder Access.

Suspicious PowerShell Command Removing Windows Defender Directory

hello@craftedsignal.io — Wed, 03 Jan 2024 14:22:37 +0000

This threat brief addresses a specific PowerShell command designed to remove the Windows Defender directory, a critical component of endpoint security on Windows systems. Attackers may attempt to delete or corrupt Windows Defender to bypass its protection mechanisms, allowing them to execute malicious activities undetected. The detection focuses on identifying PowerShell commands containing “rmdir” and targeting the specific path associated with Windows Defender. This activity is typically observed following successful initial access and privilege escalation, as attackers attempt to establish persistence or conduct data exfiltration without interference from security software. The original Splunk analytic was published in May 2026, highlighting the enduring relevance of this technique.

Attack Chain

Initial Access: The attacker gains initial access to the system through various methods, such as phishing, exploiting vulnerabilities, or using stolen credentials.
Privilege Escalation: The attacker elevates their privileges to gain administrative rights, enabling them to perform sensitive actions on the system.
Defense Evasion: The attacker attempts to disable or impair security controls.
PowerShell Execution: The attacker leverages PowerShell to execute malicious commands.
Directory Removal: The attacker executes the rmdir command within a PowerShell script, targeting the Windows Defender directory.
Bypass Security Controls: By removing the Windows Defender directory, the attacker disables real-time protection and other security features.
Lateral Movement/Data Exfiltration: With endpoint protection disabled, the attacker can move laterally within the network, steal sensitive data, or deploy ransomware without triggering alerts.
Impact: The attacker achieves their final objective, such as data theft, system disruption, or financial gain, due to the compromised security posture of the endpoint.

Impact

Successful removal of the Windows Defender directory can have severe consequences. It allows attackers to bypass endpoint protection, leading to undetected malware infections, data breaches, and system compromise. Depending on the attacker’s objective, this can result in significant financial losses, reputational damage, and operational disruption. Such techniques have been observed in destructive malware campaigns targeting organizations.

Recommendation

Enable PowerShell Script Block Logging on all endpoints to provide visibility into executed PowerShell commands. Reference: https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
Deploy the Sigma rule “Detect Windows Defender Directory Removal via PowerShell” to your SIEM to detect the specific rmdir command targeting the Windows Defender directory.
Review and tune the provided Sigma rules for false positives in your specific environment.

Windows Defender Signature Retirement Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may attempt to disable Windows Defender’s signature retirement mechanism to weaken the endpoint protection. This is achieved by modifying the DisableSignatureRetirement registry value. Disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. Attackers may use this technique to evade detection by ensuring older, less effective signatures remain active, thereby reducing the likelihood of detecting their malicious activities. The tactic is used as part of defense evasion strategies.

Attack Chain

The attacker gains initial access to the target system through unspecified means.
The attacker elevates privileges to obtain the necessary permissions to modify the Windows Registry.
The attacker uses a command-line tool like reg.exe or PowerShell to modify the registry.
The attacker targets the specific registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS.
The attacker modifies the DisableSignatureRetirement registry value.
The attacker sets the DisableSignatureRetirement value to 0x00000001 to disable the signature retirement feature.
Windows Defender continues to use outdated signatures, which may be less effective against modern threats.
The attacker executes malicious code, evading detection due to the weakened signature database.

Impact

Disabling Windows Defender’s signature retirement feature weakens the system’s security posture. This allows outdated and less effective signatures to remain active, potentially leading to missed detections of newer threats. Successfully exploiting this vulnerability allows attackers to operate with reduced risk of detection, potentially leading to data breaches, malware infections, and other security incidents. The impact can affect individual endpoints as well as entire organizations relying on Windows Defender for primary threat protection.

Recommendation

Deploy the provided Sigma rule to detect modifications to the DisableSignatureRetirement registry value (see rules).
Monitor Windows Registry events for unauthorized modifications to Windows Defender settings, specifically Event ID 13 from Sysmon (see rules and data_source).
Investigate any detected instances of DisableSignatureRetirement being set to 0x00000001 (see rules).
Implement strict access controls to prevent unauthorized modification of registry settings related to Windows Defender.
Tune the provided filter macro windows_impair_defense_disable_win_defender_signature_retirement_filter to reduce false positives in your environment (see search).

Windows Defender Scan On Update Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief addresses the disabling of Windows Defender’s “Scan On Update” feature through registry modifications. Attackers may target this setting to prevent automatic scans when signature updates are applied, thereby hindering real-time detection of malware and other threats. This technique can be employed to evade initial access detection or to maintain persistence on a compromised system. Specifically, the attack involves changing the “DisableScanOnUpdate” registry value to “0x00000001”. Disabling this feature, while not always indicative of malicious activity, significantly reduces the effectiveness of Windows Defender, making systems more susceptible to compromise. Defenders should monitor for unauthorized registry modifications related to Windows Defender settings.

Attack Chain

The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
The attacker escalates privileges to obtain the necessary permissions to modify the registry.
The attacker uses a command-line tool (e.g., reg.exe, PowerShell) or a script to modify the DisableScanOnUpdate registry value.
The attacker changes the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\DisableScanOnUpdate to a value of 0x00000001.
Windows Defender no longer performs automatic scans upon signature updates.
The attacker deploys malware or other malicious payloads to the system without triggering immediate scans.
The attacker establishes persistence and continues to perform malicious activities.

Impact

Disabling the Windows Defender Scan On Update feature can significantly increase the dwell time of malware on a compromised system. This can lead to data breaches, system corruption, or further lateral movement within the network. The potential impact includes financial losses, reputational damage, and disruption of business operations. Systems that are not actively scanned are more vulnerable to both known and unknown threats, potentially impacting thousands of endpoints within an organization if the registry modification is widespread.

Recommendation

Deploy the Sigma rule Registry Modification to Disable Windows Defender Scan On Update to detect registry modifications related to the DisableScanOnUpdate setting.
Monitor Sysmon EventID 13 for registry modifications to the HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\DisableScanOnUpdate path.
Investigate any instances where the DisableScanOnUpdate registry value is set to 0x00000001.
Use endpoint detection and response (EDR) solutions to identify and block suspicious processes attempting to modify Windows Defender settings.
Tune the windows_impair_defense_disable_win_defender_scan_on_update_filter macro in Splunk to reduce false positives.

Windows Defender Real-time Signature Delivery Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief addresses the risk of adversaries disabling Windows Defender’s real-time signature delivery mechanism. Attackers may modify specific registry entries to prevent Windows Defender from receiving the latest malware definitions. This activity significantly reduces the effectiveness of the endpoint security solution, creating a window of opportunity for malware to infect the system undetected. Disabling real-time signature delivery is a common defense evasion technique that allows malicious actors to bypass signature-based detection and establish a persistent presence on compromised systems. The technique is tracked as T1562.001 in MITRE ATT&CK. The provided detections focus on registry modifications associated with the Windows Defender signature updates path.

Attack Chain

Attacker gains initial access to the system, possibly through phishing or exploiting a software vulnerability.
Attacker escalates privileges to gain administrative rights, required to modify the registry.
Attacker uses a command-line tool like reg.exe or PowerShell to modify the registry.
The attacker targets the specific registry path *\\Windows Defender\\Signature Updates\\RealtimeSignatureDelivery.
The attacker sets the registry_value_data to "0x00000000", effectively disabling real-time signature updates.
Windows Defender no longer receives timely signature updates.
Malware is executed on the system, bypassing signature-based detection.
The attacker establishes persistence and performs malicious activities, such as data exfiltration or lateral movement.

Impact

Successful disabling of real-time signature delivery significantly weakens endpoint protection. Without timely signature updates, Windows Defender becomes unable to detect the latest malware variants. This can lead to widespread infection within the organization, potentially affecting hundreds or thousands of endpoints. Data breaches, financial losses, and reputational damage are likely consequences. The lack of real-time protection can also enable ransomware attacks and other destructive activities.

Recommendation

Enable Sysmon Event ID 13 to monitor registry modifications.
Deploy the Sigma rule “Windows Defender Realtime Signature Delivery Disabled via Registry” to detect registry changes disabling real-time signature delivery, and tune the rule for your environment.
Investigate any alerts generated by the Sigma rule, prioritizing systems where other suspicious activities have been observed.
Review and harden Group Policy settings to prevent unauthorized registry modifications.
Use the filter macro in the provided Splunk search to tune the search and reduce false positives.

Windows Defender MpEngine Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers, particularly those associated with IcedID campaigns, may attempt to disable Windows Defender to evade detection. This involves modifying the MpEnablePus registry value within the Windows Defender MpEngine settings, specifically setting it to 0x00000000. This action effectively disables key features of Windows Defender, creating a window of opportunity for malware to execute undetected. The observed registry modification is a strong indicator of malicious intent, allowing attackers to gain a foothold and further compromise the system. The DFIR Report has documented instances of this technique being used in conjunction with IcedID leading to XingLocker ransomware deployment.

Attack Chain

Initial access is gained through an unknown method (e.g., phishing, exploit).
The attacker obtains elevated privileges on the compromised system.
The attacker modifies the registry value MpEnablePus to 0x00000000 under the path HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine.
This registry change disables key Windows Defender features, weakening the endpoint’s defenses.
The attacker deploys malware, such as IcedID, which can now operate with reduced interference from the disabled security product.
The malware establishes persistence through various mechanisms (e.g., scheduled tasks, registry run keys).
The attacker performs reconnaissance to identify valuable data and systems within the network.
The attacker moves laterally to other systems, potentially deploying ransomware such as XingLocker.

Impact

Successful disabling of Windows Defender can lead to widespread malware infection and data compromise. Organizations may experience data breaches, financial losses, and reputational damage. The IcedID malware has been linked to XingLocker ransomware deployment, demonstrating the potential for significant impact following a successful attack. Disabling Windows Defender increases the dwell time of attackers and the likelihood of successful lateral movement and data exfiltration.

Recommendation

Enable Sysmon EventID 13 to capture registry modifications on endpoints.
Deploy the Sigma rule “Detect Defender MpEngine Disabled via Registry Modification” to identify suspicious registry changes related to Windows Defender.
Investigate any alerts generated by the Sigma rule, prioritizing systems where other suspicious activities have been observed.
Ensure Sysmon TA version 2.0 or higher is installed for accurate registry monitoring.
Review and harden Windows Defender configuration policies to prevent unauthorized modifications of critical settings.

Windows Defender File Hash Computation Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers can disable Windows Defender’s ability to detect and scan for malware by modifying specific registry settings. This involves setting the EnableFileHashComputation value to 0 within the Windows Defender registry path. Disabling this feature significantly impairs Windows Defender’s capabilities, allowing attackers to bypass security measures and potentially execute undetected malware. This technique is particularly relevant as attackers continuously seek ways to evade traditional endpoint detection and response (EDR) systems. Disabling file hash computation hinders Defender’s ability to identify malicious files based on their known hash values, making it harder to detect and prevent malware execution. This registry modification is a critical behavior to monitor, as it can be an early indicator of a compromised system or an attempted defense evasion tactic.

Attack Chain

Initial Access: The attacker gains initial access to the target system, possibly through phishing, exploitation of vulnerabilities, or compromised credentials.
Privilege Escalation (if needed): The attacker escalates privileges to gain the necessary permissions to modify the Windows Registry.
Identify Target Registry Key: The attacker identifies the specific registry key responsible for controlling Windows Defender’s file hash computation: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine\EnableFileHashComputation.
Modify Registry Value: The attacker modifies the EnableFileHashComputation registry value to 0. This can be achieved through various tools, including reg.exe, PowerShell, or other scripting languages.
Verify Modification: The attacker verifies that the registry value has been successfully modified.
Execute Malicious Code: With file hash computation disabled, the attacker executes malicious code that would otherwise be detected by Windows Defender.
Maintain Persistence: The attacker establishes persistence to maintain access to the compromised system.
Lateral Movement: The attacker moves laterally to other systems on the network, repeating the process if necessary.

Impact

Disabling Windows Defender’s file hash computation can significantly impact an organization’s security posture. If successful, attackers can execute malware undetected, leading to data breaches, system compromise, and financial losses. The impact is amplified if attackers can disable this feature across multiple systems within the network. This technique is a critical component of defense evasion, as it allows malicious actors to operate with impunity on compromised systems.

Recommendation

Deploy the Sigma rule Detect Windows Defender File Hash Disable via Registry to your SIEM and tune for your environment to detect the modification of the EnableFileHashComputation registry value.
Enable Sysmon Event ID 13 to ensure registry modification events are logged for the Sigma rule to function correctly.
Investigate any alerts triggered by the Sigma rule to determine the legitimacy of the registry modification and identify potential malicious activity.
Implement strict access controls to prevent unauthorized modifications to the Windows Registry.
Monitor for unexpected or unauthorized use of command-line tools like reg.exe and PowerShell to detect potential attempts to modify the registry.
Block the domains and URLs listed in the references to prevent downloading malicious tools.

Windows Defender Enhanced Notification Disabled via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This brief focuses on the technique of disabling Windows Defender’s Enhanced Notifications through registry modification. Attackers may target this feature to suppress security alerts, allowing malicious activities to proceed without user or administrator awareness. The observed behavior involves modifying the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting and setting the DisableEnhancedNotifications value to 0x00000001. This technique has been observed in conjunction with malware campaigns such as IcedID and XingLocker ransomware, documented in reports like TheDFIRReport’s analysis of IcedID leading to XingLocker ransomware within 24 hours. This allows threat actors to bypass detection mechanisms and escalate their activities within a compromised environment.

Attack Chain

Initial compromise of the system, potentially through phishing or exploit of a vulnerability.
Establish persistence, possibly through registry modifications or scheduled tasks.
The attacker executes a process with sufficient privileges to modify the Windows Registry.
The process modifies the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting.
The value DisableEnhancedNotifications is set to 0x00000001, disabling enhanced notifications.
Windows Defender no longer displays enhanced notifications, hiding security alerts from the user.
The attacker performs malicious activities, such as lateral movement or data exfiltration, without triggering user alerts.
The attacker achieves their final objective, such as deploying ransomware or stealing sensitive data.

Impact

Disabling Windows Defender Enhanced Notifications can significantly reduce the visibility of malicious activities on a compromised system. This can lead to delayed detection and increased dwell time for attackers. In scenarios like the IcedID and XingLocker ransomware attacks, this delayed detection can enable rapid ransomware deployment, resulting in data encryption, system downtime, and potential financial losses. This technique undermines the effectiveness of Windows Defender as a primary security control, leading to a greater risk of successful attacks.

Recommendation

Enable Sysmon Event ID 13 logging to monitor registry modifications.
Deploy the Sigma rule “Registry Modification to Disable Defender Enhanced Notifications” to your SIEM and tune for your environment.
Investigate any endpoint registry modifications to *Microsoft\\Windows Defender\\Reporting* and DisableEnhancedNotifications using endpoint detection and response (EDR) logs.
Correlate detections of disabled Defender notifications with other suspicious activities, such as lateral movement or credential dumping, to identify potential compromises.

Windows Defender ASR or Threat Configuration Tampering

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers attempt to weaken or disable Windows Defender’s defenses to evade detection and execute malicious activities unimpeded. This involves manipulating Attack Surface Reduction (ASR) rules and threat configurations using PowerShell commands such as Add-MpPreference and Set-MpPreference. These commands are used to modify how Windows Defender handles threats, potentially allowing malware to run without being flagged. This behavior is observed in environments where adversaries seek to establish persistence, execute malicious code, and maintain a foothold by disabling or altering security settings within Windows Defender. The tampering may involve setting specific actions for ASR rules to “Allow” or “NoAction”, effectively bypassing the intended protections.

Attack Chain

Initial Access: The attacker gains initial access to the system through an unspecified method.
Privilege Escalation (if needed): The attacker escalates privileges to execute commands with administrative rights.
Discovery: The attacker identifies the presence and configuration of Windows Defender ASR rules.
Defense Evasion: The attacker executes PowerShell commands like Add-MpPreference or Set-MpPreference to disable or modify ASR rules. Specific parameters include -AttackSurfaceReductionRules_Actions and -ThreatIDDefaultAction_Actions.
Configuration Change: The attacker sets ASR rule actions to “Allow” or “NoAction” using values like “_Actions 6”, “_Actions 9”, or “_Actions 0”. They may also disable rules entirely using “Disabled”.
Persistence: With ASR rules weakened, the attacker establishes persistence through various methods, such as creating scheduled tasks or modifying registry keys.
Execution: The attacker executes malicious code that would have been blocked by Windows Defender before the ASR rules were modified.
Impact: The attacker achieves their objectives, such as data theft, system compromise, or deploying ransomware, without interference from Windows Defender.

Impact

Successful tampering with Windows Defender ASR or threat configurations enables attackers to bypass antivirus detection, maintain persistence, and execute malicious activities without interference. This can lead to widespread malware infections, data breaches, and significant damage to affected systems. If confirmed malicious, this behavior could severely compromise endpoint security, allowing attackers to operate undetected within the network, escalating the potential for significant data loss and system compromise.

Recommendation

Deploy the Sigma rule Detect Windows Defender ASR Configuration Tampering to your SIEM to detect command-line executions indicative of ASR tampering and tune for your environment.
Enable Sysmon process creation logging to capture the command-line arguments used with Add-MpPreference and Set-MpPreference for the detection rule.
Investigate any alerts generated by the Sigma rule, focusing on processes modifying ASR rules or threat actions, to differentiate between legitimate administrative tasks and malicious activity.
Review and harden Windows Defender configuration policies, ensuring ASR rules are properly configured and protected from unauthorized modification.
Monitor Windows Event Log Security event ID 4688 for process creation events related to PowerShell and the specified commands.

PowerShell Used to Disable Windows Defender Security Monitoring

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers are leveraging PowerShell to disable real-time security monitoring features in Windows Defender. This tactic involves using the Set-MpPreference cmdlet with specific parameters to turn off key security features like archive scanning, behavior monitoring, and real-time monitoring. This is often employed by malware, including Remote Access Trojans (RATs), bots, and Trojans, to evade antivirus detection. Disabling these protections allows attackers to operate undetected, potentially leading to data exfiltration, further system compromise, or the establishment of persistent access within the environment. The commands are often obfuscated or combined with other techniques to make detection more difficult. This activity represents a significant threat to organizations relying on Windows Defender for endpoint protection.

Attack Chain

Initial Access: The attacker gains initial access to the system through various means, such as exploiting a vulnerability or using compromised credentials.
Privilege Escalation: The attacker escalates privileges to gain necessary permissions to execute PowerShell commands that can modify Windows Defender settings.
Defense Evasion: The attacker executes PowerShell with Set-MpPreference to disable security features like DisableRealtimeMonitoring, DisableBehaviorMonitoring, or DisableIOAVProtection.
Configuration Changes: Windows Defender’s real-time monitoring and other security features are disabled, reducing the system’s ability to detect malicious activities.
Malware Deployment: With security monitoring disabled, the attacker deploys malware, such as RATs, bots, or Trojans, onto the system without immediate detection.
Persistence: The attacker establishes persistence mechanisms to maintain access to the compromised system, potentially using scheduled tasks or registry modifications.
Lateral Movement: The attacker moves laterally within the network, compromising additional systems and expanding their reach.
Data Exfiltration or Impact: The attacker exfiltrates sensitive data or carries out other malicious activities, such as deploying ransomware, while remaining undetected due to the disabled security monitoring.

Impact

Successful execution of these PowerShell commands results in disabling Windows Defender’s real-time protection and other security features. This can lead to undetected malware infections, data breaches, and system compromise. Organizations relying solely on Windows Defender are particularly vulnerable. The impact can range from individual workstation compromise to widespread network infection and significant data loss, depending on the attacker’s objectives and the extent of their lateral movement.

Recommendation

Deploy the Sigma rules provided in this brief to your SIEM to detect PowerShell commands attempting to disable Windows Defender features, and tune them for your environment.
Monitor process creation events (Sysmon Event ID 1 or Windows Event Log Security 4688) for PowerShell processes executing Set-MpPreference with parameters known to disable security features, as outlined in the Sigma rules.
Implement strict PowerShell execution policies to restrict the execution of unsigned or untrusted scripts, mitigating the risk of malicious PowerShell commands being executed.
Regularly review and audit Windows Defender settings to ensure that security features are enabled and functioning correctly, preventing unauthorized modifications.
Educate users about the risks of running untrusted PowerShell scripts and the importance of reporting suspicious activities.

Detecting Disabling of Windows Defender Sample Submission

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers are increasingly targeting endpoint detection capabilities to evade security controls. One specific technique involves disabling Windows Defender’s ability to automatically submit samples to Microsoft for analysis. By modifying the SubmitSamplesConsent registry value to 0, attackers can prevent suspicious files from being sent for further scrutiny, effectively blinding Defender. This can lead to successful malware execution and system compromise, as seen in incidents involving malware such as IcedID and XingLocker ransomware. This activity has been observed starting in late 2021 and continues to be a relevant evasion tactic. Detecting this registry modification is crucial for maintaining endpoint security.

Attack Chain

The attacker gains initial access to the system (e.g., via phishing or exploit).
The attacker escalates privileges to gain administrative rights.
The attacker uses a tool like reg.exe or PowerShell to modify the registry.
The attacker targets the registry key HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet.
The attacker changes the SubmitSamplesConsent value to 0x00000000.
Windows Defender is now prevented from automatically submitting samples.
The attacker executes malware on the system without automatic sample submission.
The attacker achieves their objective, such as data theft or ransomware deployment.

Impact

Disabling Windows Defender’s sample submission feature allows attackers to execute malicious code undetected. This can lead to data breaches, system compromise, and ransomware infections. The DFIR Report has documented instances where disabling AV features was a critical step in successful ransomware attacks. Organizations that fail to detect this activity are at increased risk of significant financial and operational damage.

Recommendation

Enable Sysmon EventID 13 to monitor registry modifications (data_source).
Deploy the Sigma rule “Disable Defender Submit Samples Consent Feature” to detect the registry modification (rules).
Investigate any endpoint where the SubmitSamplesConsent registry value is set to 0x00000000 in the specified registry path (search).
Ensure Sysmon TA version 2.0 or later is installed for proper log ingestion (how_to_implement).

Windows Defender Quick Scan Interval Modification

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This threat brief focuses on the modification of the Windows Defender Quick Scan Interval, a critical setting that dictates how frequently quick scans are performed. Attackers may attempt to modify this interval to significantly reduce the frequency of scans, creating a window of opportunity to deploy malware or conduct malicious activities without being detected by Windows Defender’s default quick scans. This technique is a form of defense evasion, allowing threats to persist undetected on compromised systems. The activity is detected through monitoring of registry modifications related to the “QuickScanInterval” path within the Windows registry. Disabling or significantly increasing this interval can have severe consequences, potentially leading to widespread infection and data compromise.

Attack Chain

Initial Access: An attacker gains initial access to the system through various means, such as exploiting a software vulnerability, or social engineering.
Privilege Escalation: The attacker escalates privileges to gain the necessary permissions to modify the Windows Registry, often using techniques like exploiting system vulnerabilities or leveraging misconfigured access controls.
Defense Evasion: The attacker attempts to disable or modify the Windows Defender Quick Scan Interval to prevent detection of malicious activities.
Registry Modification: The attacker modifies the “QuickScanInterval” registry value using tools such as reg.exe or PowerShell. The specific registry path targeted is *\Windows Defender\Scan\QuickScanInterval.
Persistence: By disabling or extending the quick scan interval, the attacker ensures their malware or malicious activities can persist on the system without being detected by regular quick scans.
Malware Deployment: With Windows Defender’s quick scans effectively neutered, the attacker deploys additional malware or executes malicious scripts on the compromised system.
Lateral Movement: The attacker leverages the compromised system to move laterally within the network, infecting other systems and expanding their foothold.

Impact

Successful modification of the Windows Defender Quick Scan Interval can lead to a significant reduction in the system’s ability to detect malware promptly. This can result in widespread infection, data breaches, and system compromise. The consequences include potential financial losses, reputational damage, and disruption of business operations. While the exact number of victims is difficult to quantify, the potential impact is significant, especially within organizations heavily reliant on Windows Defender as their primary security solution.

Recommendation

Enable Sysmon Event ID 13 logging to monitor registry modifications as described in the data source of the detection search.
Deploy the provided Splunk search to identify modifications to the Windows Defender Quick Scan Interval.
Investigate any detected modifications to the QuickScanInterval registry path to determine if they are legitimate or malicious.
Tune the provided filter macro windows_impair_defense_change_win_defender_quick_scan_interval_filter to reduce false positives in your environment.
Monitor for processes modifying the registry key *\Windows Defender\Scan\QuickScanInterval using tools like reg.exe or PowerShell.

PowerShell Windows Defender Exclusion Commands

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Attackers often attempt to evade detection by security tools, including Windows Defender. One common method is to add exclusions to prevent Defender from scanning specific files, folders, or processes. PowerShell, a powerful scripting language built into Windows, can be used to manage Defender settings, including exclusions. This makes it an attractive tool for adversaries. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected. The references provided show real-world examples of Remcos RAT and other malware families using this technique.

Attack Chain

An attacker gains initial access to a system, potentially through phishing or exploitation of a vulnerability.
The attacker executes a PowerShell script.
The PowerShell script uses the Add-MpPreference or Set-MpPreference cmdlet.
The script specifies exclusion parameters, such as -ExclusionPath, -ExclusionProcess, or -ExclusionExtension.
The exclusion is added to Windows Defender, preventing it from scanning the specified files, folders, or processes.
The attacker deploys and executes malware within the excluded path or process.
Windows Defender does not detect the malware due to the exclusion.
The attacker achieves their objectives, such as data theft, system compromise, or ransomware deployment.

Impact

Successful exploitation of this technique allows attackers to bypass Windows Defender’s real-time protection, enabling them to execute malicious code undetected. This can lead to data breaches, system compromise, and other serious security incidents. Multiple threat actors, as demonstrated in the references, have used this technique in various campaigns. This results in malware infections, data exfiltration, and potential ransomware deployment, causing significant financial and reputational damage to affected organizations.

Recommendation

Enable PowerShell Script Block Logging (EventCode 4104) to capture the commands being executed (data_source).
Deploy the Sigma rule Detect-WindowsDefender-Exclusion to detect suspicious PowerShell commands that add Windows Defender exclusions.
Investigate any alerts generated by the Sigma rule, focusing on the user and destination involved (rule).
Review existing Windows Defender exclusions to identify any suspicious or unauthorized entries.
Monitor PowerShell execution for unusual or suspicious activity, especially related to Defender management.
Audit and restrict access to PowerShell, limiting its use to authorized personnel and processes.