From f89ba18c5dc7ba1f908e0db3e29484dd308f0f9c Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 4 Aug 2021 11:27:41 -0500
Subject: [PATCH 1/4] Create
 sysmon_disabled_pua_protection_on_microsoft_defender.yml

---
 ...d_pua_protection_on_microsoft_defender.yml | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml

diff --git a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
new file mode 100644
index 000000000..6cda0a7f3
--- /dev/null
+++ b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
@@ -0,0 +1,24 @@
+title: Disable PUA Protection on Windows Defender
+id: 8ffc5407-52e3-478f-9596-0a7371eafe13
+description: Detects disabling Windows Defender PUA protection
+status: experimental
+date: 2021/08/04
+author: Austin Songer @austinsonger
+references:
+    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
+tags:
+    - attack.defense_evasion
+logsource:
+    category: registry_event
+    product: windows	
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
+        TargetObject|endswith:
+            - PUAProtection
+        Details: 'DWORD (0x00000000)'
+    condition: selection	
+falsepositives:
+    - Unknown
+level: high

From bae075713c101525a6b445fd72fc63d5b7a34457 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 4 Aug 2021 13:10:37 -0500
Subject: [PATCH 2/4] Update
 sysmon_disabled_pua_protection_on_microsoft_defender.yml

---
 ...smon_disabled_pua_protection_on_microsoft_defender.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
index 6cda0a7f3..e79e6055e 100644
--- a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
+++ b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
@@ -10,15 +10,13 @@ tags:
     - attack.defense_evasion
 logsource:
     category: registry_event
-    product: windows	
+    product: windows
 detection:
     selection:
         EventType: SetValue
-        TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
-        TargetObject|endswith:
-            - PUAProtection
+        TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection'
         Details: 'DWORD (0x00000000)'
-    condition: selection	
+    condition: selection
 falsepositives:
     - Unknown
 level: high

From 8d195bf5d57f8816035fb896af16b7f259b45860 Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 4 Aug 2021 13:11:31 -0500
Subject: [PATCH 3/4] Update
 sysmon_disabled_pua_protection_on_microsoft_defender.yml

---
 .../sysmon_disabled_pua_protection_on_microsoft_defender.yml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
index e79e6055e..7486226a7 100644
--- a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
+++ b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
@@ -14,7 +14,7 @@ logsource:
 detection:
     selection:
         EventType: SetValue
-        TargetObject|contains: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection'
+        TargetObject|contains: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection'
         Details: 'DWORD (0x00000000)'
     condition: selection
 falsepositives:

From 6a2663a3ae533e1e47b3e2ea8df72870537cf10e Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Wed, 4 Aug 2021 17:00:34 -0500
Subject: [PATCH 4/4] Update
 sysmon_disabled_pua_protection_on_microsoft_defender.yml

---
 .../sysmon_disabled_pua_protection_on_microsoft_defender.yml     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
index 7486226a7..f0ad69f89 100644
--- a/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
+++ b/rules/windows/registry_event/sysmon_disabled_pua_protection_on_microsoft_defender.yml
@@ -8,6 +8,7 @@ references:
     - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
 tags:
     - attack.defense_evasion
+    - attack.t1562.001
 logsource:
     category: registry_event
     product: windows