https://feed.craftedsignal.io/tags/windows-registry/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-disable-win-defender-signature-retirement/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-disable-win-defender-signature-retirement/An attacker disables Windows Defender's signature retirement feature by modifying a registry key, potentially reducing its effectiveness in detecting threats by allowing older, less relevant signatures to persist.Attackers may attempt to disable Windows Defender’s signature retirement mechanism to weaken the endpoint protection. This is achieved by modifying the DisableSignatureRetirement registry value. Disabling signature retirement can prevent Windows Defender from removing outdated antivirus signatures, potentially reducing its effectiveness in detecting threats. Attackers may use this technique to evade detection by ensuring older, less effective signatures remain active, thereby reducing the likelihood of detecting their malicious activities. The tactic is used as part of defense evasion strategies.

Attack Chain

1. The attacker gains initial access to the target system through unspecified means.
2. The attacker elevates privileges to obtain the necessary permissions to modify the Windows Registry.
3. The attacker uses a command-line tool like reg.exe or PowerShell to modify the registry.
4. The attacker targets the specific registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\NIS\Consumers\IPS.
5. The attacker modifies the DisableSignatureRetirement registry value.
6. The attacker sets the DisableSignatureRetirement value to 0x00000001 to disable the signature retirement feature.
7. Windows Defender continues to use outdated signatures, which may be less effective against modern threats.
8. The attacker executes malicious code, evading detection due to the weakened signature database.

Impact

Disabling Windows Defender’s signature retirement feature weakens the system’s security posture. This allows outdated and less effective signatures to remain active, potentially leading to missed detections of newer threats. Successfully exploiting this vulnerability allows attackers to operate with reduced risk of detection, potentially leading to data breaches, malware infections, and other security incidents. The impact can affect individual endpoints as well as entire organizations relying on Windows Defender for primary threat protection.

Recommendation

• Deploy the provided Sigma rule to detect modifications to the DisableSignatureRetirement registry value (see rules).
• Monitor Windows Registry events for unauthorized modifications to Windows Defender settings, specifically Event ID 13 from Sysmon (see rules and data_source).
• Investigate any detected instances of DisableSignatureRetirement being set to 0x00000001 (see rules).
• Implement strict access controls to prevent unauthorized modification of registry settings related to Windows Defender.
• Tune the provided filter macro windows_impair_defense_disable_win_defender_signature_retirement_filter to reduce false positives in your environment (see search).

]]>mediumadvisorydefense-evasionwindows-registrywindows-defenderhttps://feed.craftedsignal.io/briefs/2024-01-03-disable-win-defender-network-protection/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-disable-win-defender-network-protection/This analytic detects modifications to the Windows registry to disable Windows Defender Network Protection, potentially leaving the system vulnerable to network-based threats.This detection identifies attempts to weaken Windows security by disabling Windows Defender Network Protection. The technique involves modifying the EnableNetworkProtection registry entry, a critical component for preventing network-based threats. Attackers may employ this tactic to bypass security measures, enabling unauthorized access, data exfiltration, or further compromise of the network. This is often a post-exploitation step or part of a larger defense evasion strategy. The detection focuses on changes to the specific registry key and value associated with disabling the protection feature.

Attack Chain

1. Attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
2. Attacker elevates privileges to gain administrative access, which is required to modify the registry.
3. The attacker uses a script or tool (e.g., PowerShell, reg.exe) to modify the registry.
4. The script targets the registry key *\\Windows Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection.
5. The script sets the registry_value_data to 0x00000000, which disables Network Protection.
6. Windows Defender Network Protection is disabled, allowing network-based threats to proceed unimpeded.
7. The attacker can then execute malicious code, establish command and control, or exfiltrate data without network-level interference from Windows Defender.

Impact

Successful disabling of Windows Defender Network Protection can significantly weaken a system’s security posture. This allows attackers to bypass a key security control, potentially leading to malware infection, data theft, or complete system compromise. Systems without Network Protection are more susceptible to network-based attacks such as drive-by downloads, exploit kits, and command-and-control traffic. The impact could range from a single compromised workstation to a widespread network breach, depending on the attacker’s objectives and capabilities.

Recommendation

• Deploy the Sigma rule Registry Modification to Disable Windows Defender Network Protection to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the registry modification.
• Implement endpoint detection and response (EDR) solutions to provide additional visibility into endpoint activity and detect malicious behavior.
• Review and enforce group policies to prevent unauthorized registry modifications.
• Monitor Sysmon EventID 13 for registry modifications to detect similar defense evasion attempts.

]]>highadvisorydefense-evasionprivilege-escalationwindows-registryhttps://feed.craftedsignal.io/briefs/2024-01-02-win-defender-quick-scan-interval/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-win-defender-quick-scan-interval/Detection of modifications to the Windows registry that change the Windows Defender Quick Scan Interval, potentially impairing its ability to detect malware promptly.This threat brief focuses on the modification of the Windows Defender Quick Scan Interval, a critical setting that dictates how frequently quick scans are performed. Attackers may attempt to modify this interval to significantly reduce the frequency of scans, creating a window of opportunity to deploy malware or conduct malicious activities without being detected by Windows Defender’s default quick scans. This technique is a form of defense evasion, allowing threats to persist undetected on compromised systems. The activity is detected through monitoring of registry modifications related to the “QuickScanInterval” path within the Windows registry. Disabling or significantly increasing this interval can have severe consequences, potentially leading to widespread infection and data compromise.

Attack Chain

1. Initial Access: An attacker gains initial access to the system through various means, such as exploiting a software vulnerability, or social engineering.
2. Privilege Escalation: The attacker escalates privileges to gain the necessary permissions to modify the Windows Registry, often using techniques like exploiting system vulnerabilities or leveraging misconfigured access controls.
3. Defense Evasion: The attacker attempts to disable or modify the Windows Defender Quick Scan Interval to prevent detection of malicious activities.
4. Registry Modification: The attacker modifies the “QuickScanInterval” registry value using tools such as reg.exe or PowerShell. The specific registry path targeted is *\Windows Defender\Scan\QuickScanInterval.
5. Persistence: By disabling or extending the quick scan interval, the attacker ensures their malware or malicious activities can persist on the system without being detected by regular quick scans.
6. Malware Deployment: With Windows Defender’s quick scans effectively neutered, the attacker deploys additional malware or executes malicious scripts on the compromised system.
7. Lateral Movement: The attacker leverages the compromised system to move laterally within the network, infecting other systems and expanding their foothold.

Impact

Successful modification of the Windows Defender Quick Scan Interval can lead to a significant reduction in the system’s ability to detect malware promptly. This can result in widespread infection, data breaches, and system compromise. The consequences include potential financial losses, reputational damage, and disruption of business operations. While the exact number of victims is difficult to quantify, the potential impact is significant, especially within organizations heavily reliant on Windows Defender as their primary security solution.

Recommendation

• Enable Sysmon Event ID 13 logging to monitor registry modifications as described in the data source of the detection search.
• Deploy the provided Splunk search to identify modifications to the Windows Defender Quick Scan Interval.
• Investigate any detected modifications to the QuickScanInterval registry path to determine if they are legitimate or malicious.
• Tune the provided filter macro windows_impair_defense_change_win_defender_quick_scan_interval_filter to reduce false positives in your environment.
• Monitor for processes modifying the registry key *\Windows Defender\Scan\QuickScanInterval using tools like reg.exe or PowerShell.

]]>mediumadvisorydefense-evasionwindows-registrywindows-defenderendpoint