Microsoft Windows Defender Tampering

edit

Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft Defender features to evade detection and conceal malicious behavior.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 8.0.0

Rule authors: Austin Songer

Rule license: Elastic License v2

Potential false positives

edit

Legitimate Windows Defender configuration changes

Rule query

edit
registry where event.type in ("creation", "change") and
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\PUAProtection" and registry.data.strings : "0") or
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender Security Center\\App and Browser
protection\\DisallowExploitProtectionOverride" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\DisableAntiSpyware" and registry.data.strings : "1") or
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Features\\TamperProtection" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableRealtimeMonitoring" and registry.data.strings :
"1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIntrusionPreventionSystem" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableScriptScanning" and registry.data.strings : "1")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Windows Defender Exploit Guard\\Controlled Folder
Access\\EnableControlledFolderAccess" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIOAVProtection" and registry.data.strings : "1")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Reporting\\DisableEnhancedNotifications" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\DisableBlockAtFirstSeen" and registry.data.strings
: "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SpynetReporting" and registry.data.strings : "0")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SubmitSamplesConsent" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableBehaviorMonitoring" and registry.data.strings :
"1")

Threat mapping

edit

Framework: MITRE ATT&CKTM