{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/windows-registry/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-registry","windows-defender"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may attempt to disable Windows Defender\u0026rsquo;s signature retirement mechanism to weaken the endpoint protection. This is achieved by modifying the \u003ccode\u003eDisableSignatureRetirement\u003c/code\u003e registry value. Disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. Attackers may use this technique to evade detection by ensuring older, less effective signatures remain active, thereby reducing the likelihood of detecting their malicious activities. The tactic is used as part of defense evasion strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to obtain the necessary permissions to modify the Windows Registry.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker targets the specific registry key: \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\NIS\\Consumers\\IPS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eDisableSignatureRetirement\u003c/code\u003e registry value.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eDisableSignatureRetirement\u003c/code\u003e value to \u003ccode\u003e0x00000001\u003c/code\u003e to disable the signature retirement feature.\u003c/li\u003e\n\u003cli\u003eWindows Defender continues to use outdated signatures, which may be less effective against modern threats.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious code, evading detection due to the weakened signature database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling Windows Defender\u0026rsquo;s signature retirement feature weakens the system\u0026rsquo;s security posture. This allows outdated and less effective signatures to remain active, potentially leading to missed detections of newer threats. Successfully exploiting this vulnerability allows attackers to operate with reduced risk of detection, potentially leading to data breaches, malware infections, and other security incidents. The impact can affect individual endpoints as well as entire organizations relying on Windows Defender for primary threat protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect modifications to the \u003ccode\u003eDisableSignatureRetirement\u003c/code\u003e registry value (see rules).\u003c/li\u003e\n\u003cli\u003eMonitor Windows Registry events for unauthorized modifications to Windows Defender settings, specifically Event ID 13 from Sysmon (see rules and data_source).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eDisableSignatureRetirement\u003c/code\u003e being set to \u003ccode\u003e0x00000001\u003c/code\u003e (see rules).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to prevent unauthorized modification of registry settings related to Windows Defender.\u003c/li\u003e\n\u003cli\u003eTune the provided filter macro \u003ccode\u003ewindows_impair_defense_disable_win_defender_signature_retirement_filter\u003c/code\u003e to reduce false positives in your environment (see search).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-disable-win-defender-signature-retirement/","summary":"An attacker disables Windows Defender's signature retirement feature by modifying a registry key, potentially reducing its effectiveness in detecting threats by allowing older, less relevant signatures to persist.","title":"Windows Defender Signature Retirement Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-win-defender-signature-retirement/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","privilege-escalation","windows-registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies attempts to weaken Windows security by disabling Windows Defender Network Protection. The technique involves modifying the \u003ccode\u003eEnableNetworkProtection\u003c/code\u003e registry entry, a critical component for preventing network-based threats. Attackers may employ this tactic to bypass security measures, enabling unauthorized access, data exfiltration, or further compromise of the network. This is often a post-exploitation step or part of a larger defense evasion strategy. The detection focuses on changes to the specific registry key and value associated with disabling the protection feature.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker elevates privileges to gain administrative access, which is required to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a script or tool (e.g., PowerShell, \u003ccode\u003ereg.exe\u003c/code\u003e) to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe script targets the registry key \u003ccode\u003e*\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Network Protection\\\\EnableNetworkProtection\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script sets the \u003ccode\u003eregistry_value_data\u003c/code\u003e to \u003ccode\u003e0x00000000\u003c/code\u003e, which disables Network Protection.\u003c/li\u003e\n\u003cli\u003eWindows Defender Network Protection is disabled, allowing network-based threats to proceed unimpeded.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute malicious code, establish command and control, or exfiltrate data without network-level interference from Windows Defender.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Defender Network Protection can significantly weaken a system\u0026rsquo;s security posture. This allows attackers to bypass a key security control, potentially leading to malware infection, data theft, or complete system compromise. Systems without Network Protection are more susceptible to network-based attacks such as drive-by downloads, exploit kits, and command-and-control traffic. The impact could range from a single compromised workstation to a widespread network breach, depending on the attacker\u0026rsquo;s objectives and capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification to Disable Windows Defender Network Protection\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the registry modification.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions to provide additional visibility into endpoint activity and detect malicious behavior.\u003c/li\u003e\n\u003cli\u003eReview and enforce group policies to prevent unauthorized registry modifications.\u003c/li\u003e\n\u003cli\u003eMonitor Sysmon EventID 13 for registry modifications to detect similar defense evasion attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-disable-win-defender-network-protection/","summary":"This analytic detects modifications to the Windows registry to disable Windows Defender Network Protection, potentially leaving the system vulnerable to network-based threats.","title":"Windows Defender Network Protection Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-03-disable-win-defender-network-protection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-registry","windows-defender","endpoint"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the modification of the Windows Defender Quick Scan Interval, a critical setting that dictates how frequently quick scans are performed. Attackers may attempt to modify this interval to significantly reduce the frequency of scans, creating a window of opportunity to deploy malware or conduct malicious activities without being detected by Windows Defender\u0026rsquo;s default quick scans. This technique is a form of defense evasion, allowing threats to persist undetected on compromised systems. The activity is detected through monitoring of registry modifications related to the \u0026ldquo;QuickScanInterval\u0026rdquo; path within the Windows registry. Disabling or significantly increasing this interval can have severe consequences, potentially leading to widespread infection and data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the system through various means, such as exploiting a software vulnerability, or social engineering.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain the necessary permissions to modify the Windows Registry, often using techniques like exploiting system vulnerabilities or leveraging misconfigured access controls.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker attempts to disable or modify the Windows Defender Quick Scan Interval to prevent detection of malicious activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRegistry Modification:\u003c/strong\u003e The attacker modifies the \u0026ldquo;QuickScanInterval\u0026rdquo; registry value using tools such as \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell. The specific registry path targeted is \u003ccode\u003e*\\Windows Defender\\Scan\\QuickScanInterval\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e By disabling or extending the quick scan interval, the attacker ensures their malware or malicious activities can persist on the system without being detected by regular quick scans.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Deployment:\u003c/strong\u003e With Windows Defender\u0026rsquo;s quick scans effectively neutered, the attacker deploys additional malware or executes malicious scripts on the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker leverages the compromised system to move laterally within the network, infecting other systems and expanding their foothold.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the Windows Defender Quick Scan Interval can lead to a significant reduction in the system\u0026rsquo;s ability to detect malware promptly. This can result in widespread infection, data breaches, and system compromise. The consequences include potential financial losses, reputational damage, and disruption of business operations. While the exact number of victims is difficult to quantify, the potential impact is significant, especially within organizations heavily reliant on Windows Defender as their primary security solution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 logging to monitor registry modifications as described in the data source of the detection search.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Splunk search to identify modifications to the Windows Defender Quick Scan Interval.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected modifications to the \u003ccode\u003eQuickScanInterval\u003c/code\u003e registry path to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eTune the provided filter macro \u003ccode\u003ewindows_impair_defense_change_win_defender_quick_scan_interval_filter\u003c/code\u003e to reduce false positives in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor for processes modifying the registry key \u003ccode\u003e*\\Windows Defender\\Scan\\QuickScanInterval\u003c/code\u003e using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-win-defender-quick-scan-interval/","summary":"Detection of modifications to the Windows registry that change the Windows Defender Quick Scan Interval, potentially impairing its ability to detect malware promptly.","title":"Windows Defender Quick Scan Interval Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-02-win-defender-quick-scan-interval/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows-Registry","version":"https://jsonfeed.org/version/1.1"}