Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion

new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction'
new: Windows Defender Context Menu Removed via Reg.exe
new: Disabling Windows Defender WMI Autologger Session via Reg.exe
new: Delete Defender Scan ShellEx Context Menu Registry Key
new: Windows Defender Default Threat Action Modified

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml

@@ -0,0 +1,47 @@
+title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
+id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
+related:
+    - id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
+      type: similar
+status: experimental
+description: |
+    Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
+    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
+    An attacker might use this technique via the command line to bypass defenses before executing payloads.
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
+    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
+    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
+    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
+    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+author: 'Matt Anderson (Huntress)'
+date: 2025-07-11
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmdlet:
+        CommandLine|contains: 'Set-MpPreference'
+    selection_action:
+        CommandLine|contains:
+            - '-LowThreatDefaultAction'
+            - '-ModerateThreatDefaultAction'
+            - '-HighThreatDefaultAction'
+            - '-SevereThreatDefaultAction'
+            - '-ltdefac '
+            - '-mtdefac '
+            - '-htdefac '
+            - '-stdefac '
+    selection_value:
+        CommandLine|contains:
+            - 'Allow'
+            - '6'
+            - 'NoAction'
+            - '9'
+    condition: all of selection_*
+falsepositives:
+    - Highly unlikely
+level: high

rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml

@@ -0,0 +1,46 @@
+title: Windows Defender Context Menu Removed
+id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
+related:
+    - id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
+      type: similar
+status: experimental
+description: |
+    Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
+    This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
+    Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
+references:
+    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
+    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
+    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
+author: 'Matt Anderson (Huntress)'
+date: 2025-07-09
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\powershell_ise.exe'
+              - '\powershell.exe'
+              - '\pwsh.exe'
+              - '\reg.exe'
+        - OriginalFileName:
+              - 'powershell_ise.EXE'
+              - 'PowerShell.EXE'
+              - 'pwsh.dll'
+              - 'reg.exe'
+    selection_action:
+        CommandLine|contains:
+            - 'del'
+            - 'Remove-Item'
+            - 'ri '
+    selection_reg_path:
+        CommandLine|contains: '\shellex\ContextMenuHandlers\EPP'
+    condition: all of selection_*
+falsepositives:
+    - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment.
+level: high

rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml

@@ -0,0 +1,42 @@
+title: Disabling Windows Defender WMI Autologger Session via Reg.exe
+id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
+related:
+    - id: f37b4bce-49d0-4087-9f5b-58bffda77316
+      type: similar
+status: experimental
+description: |
+    Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
+    By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
+    from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
+references:
+    - https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
+    - https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
+    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
+    - https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
+author: Matt Anderson (Huntress)
+date: 2025-07-09
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\reg.exe'
+        - OriginalFileName: 'reg.exe'
+    selection_reg_path:
+        CommandLine|contains:
+            - '\Control\WMI\Autologger\DefenderApiLogger\Start'
+            - '\Control\WMI\Autologger\DefenderAuditLogger\Start'
+    selection_reg_add:
+        CommandLine|contains|all:
+            - 'add'
+            - '0'
+    filter_main_enable:
+        CommandLine|contains: '0x00000001'
+    condition: all of selection_* and not 1 of filter_main_*
+falsepositives:
+    - Highly unlikely
+level: high

rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml

@@ -0,0 +1,26 @@
+title: Delete Defender Scan ShellEx Context Menu Registry Key
+id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
+related:
+    - id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
+      type: similar
+status: experimental
+description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
+references:
+    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
+    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
+    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
+author: 'Matt Anderson (Huntress)'
+date: 2025-07-11
+tags:
+    - attack.defense-evasion
+logsource:
+    category: registry_delete
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
+    condition: selection
+falsepositives:
+    - Unlikely as this weakens defenses and normally would not be done even if using another AV.
+level: medium

rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml

@@ -0,0 +1,40 @@
+title: Windows Defender Threat Severity Default Action Modified
+id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
+related:
+    - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
+      type: similar
+status: experimental
+description: |
+    Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
+    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
+    allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
+    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
+    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
+    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
+    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+author: 'Matt Anderson (Huntress)'
+date: 2025-07-11
+tags:
+    - attack.defense-evasion
+    - attack.t1562.001
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
+        TargetObject|endswith:
+            - '\1' # Low severity
+            - '\2' # Moderate severity
+            - '\4' # High severity
+            - '\5' # Severe severity
+        Details:
+            - 'DWORD (0x00000006)' # Allow
+            - 'DWORD (0x00000009)' # NoAction
+    condition: selection
+falsepositives:
+    - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
+    - Software installations that legitimately modify Defender settings (less common for these specific keys).
+level: high