IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Microsoft IIS Service Account Password Dumped Mimikatz Memssp Log File Detected »
Elastic Docs Elastic Security Solution [8.1] Detections and alerts Prebuilt rule reference

Microsoft Windows Defender Tampering

edit

Microsoft Windows Defender Tampering

edit

Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft Defender features to evade detection and conceal malicious behavior.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 2 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.1.0

Rule authors: Austin Songer

Rule license: Elastic License v2

Potential false positives

edit

Legitimate Windows Defender configuration changes

Rule query

edit
registry where event.type in ("creation", "change") and
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\PUAProtection" and registry.data.strings : ("0",
"0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security
Center\\App and Browser protection\\DisallowExploitProtectionOverride"
and registry.data.strings : ("1", "0x00000001")) or (registry.path
: "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\DisableAntiSpyware" and registry.data.strings : ("1",
"0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Features\\TamperProtection" and registry.data.strings :
("0", "0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableRealtimeMonitoring" and registry.data.strings :
("1", "0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIntrusionPreventionSystem" and
registry.data.strings : ("1", "0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableScriptScanning" and registry.data.strings : ("1",
"0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows
Defender Exploit Guard\\Controlled Folder
Access\\EnableControlledFolderAccess" and registry.data.strings :
("0", "0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIOAVProtection" and registry.data.strings : ("1",
"0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Reporting\\DisableEnhancedNotifications" and
registry.data.strings : ("1", "0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\DisableBlockAtFirstSeen" and registry.data.strings
: ("1", "0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SpynetReporting" and registry.data.strings : ("0",
"0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SubmitSamplesConsent" and registry.data.strings :
("0", "0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableBehaviorMonitoring" and registry.data.strings :
("1", "0x00000001"))

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 2 (8.1.0 release)

  • Updated query, changed from:

    registry where event.type in ("creation", "change") and
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\PUAProtection" and registry.data.strings : "0") or
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender Security Center\\App and Browser
protection\\DisallowExploitProtectionOverride" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\DisableAntiSpyware" and registry.data.strings : "1") or
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Features\\TamperProtection" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableRealtimeMonitoring" and registry.data.strings :
"1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIntrusionPreventionSystem" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableScriptScanning" and registry.data.strings : "1")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Windows Defender Exploit Guard\\Controlled Folder
Access\\EnableControlledFolderAccess" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIOAVProtection" and registry.data.strings : "1")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Reporting\\DisableEnhancedNotifications" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\DisableBlockAtFirstSeen" and registry.data.strings
: "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SpynetReporting" and registry.data.strings : "0")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SubmitSamplesConsent" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableBehaviorMonitoring" and registry.data.strings :
"1")
« Microsoft IIS Service Account Password Dumped Mimikatz Memssp Log File Detected »