From af492dc0f6305e6ede07d208ec58ee13bcf91dff Mon Sep 17 00:00:00 2001 From: Matt Anderson <75185144+MATTANDERS0N@users.noreply.github.com> Date: Mon, 28 Jul 2025 06:25:23 -0500 Subject: [PATCH] Merge PR #5528 from @MATTANDERS0N - add rules for defense evasion new: PowerShell Defender Default Threat Action Set to 'Allow' or 'NoAction' new: Windows Defender Context Menu Removed via Reg.exe new: Disabling Windows Defender WMI Autologger Session via Reg.exe new: Delete Defender Scan ShellEx Context Menu Registry Key new: Windows Defender Default Threat Action Modified --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...n_win_defender_default_action_modified.yml | 47 +++++++++++++++++++ ...ation_win_defender_remove_context_menu.yml | 46 ++++++++++++++++++ ...in_reg_disable_defender_wmi_autologger.yml | 42 +++++++++++++++++ .../registry_delete_defender_context_menu.yml | 26 ++++++++++ ..._event_defender_threat_action_modified.yml | 40 ++++++++++++++++ 5 files changed, 201 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml create mode 100644 rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml create mode 100644 rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml create mode 100644 rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml create mode 100644 rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml diff --git a/rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml b/rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml new file mode 100644 index 000000000..882245608 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml @@ -0,0 +1,47 @@ +title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' +id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e +related: + - id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f + type: similar +status: experimental +description: | + Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). + This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. + An attacker might use this technique via the command line to bypass defenses before executing payloads. +references: + - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference + - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction + - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952 + - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2 + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +author: 'Matt Anderson (Huntress)' +date: 2025-07-11 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection_cmdlet: + CommandLine|contains: 'Set-MpPreference' + selection_action: + CommandLine|contains: + - '-LowThreatDefaultAction' + - '-ModerateThreatDefaultAction' + - '-HighThreatDefaultAction' + - '-SevereThreatDefaultAction' + - '-ltdefac ' + - '-mtdefac ' + - '-htdefac ' + - '-stdefac ' + selection_value: + CommandLine|contains: + - 'Allow' + - '6' + - 'NoAction' + - '9' + condition: all of selection_* +falsepositives: + - Highly unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml b/rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml new file mode 100644 index 000000000..aa9fc6a6a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml @@ -0,0 +1,46 @@ +title: Windows Defender Context Menu Removed +id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b +related: + - id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6 + type: similar +status: experimental +description: | + Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. + This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. + Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product. +references: + - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/ + - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/ + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ +author: 'Matt Anderson (Huntress)' +date: 2025-07-09 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\powershell_ise.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\reg.exe' + - OriginalFileName: + - 'powershell_ise.EXE' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'reg.exe' + selection_action: + CommandLine|contains: + - 'del' + - 'Remove-Item' + - 'ri ' + selection_reg_path: + CommandLine|contains: '\shellex\ContextMenuHandlers\EPP' + condition: all of selection_* +falsepositives: + - May be part of a system customization or "debloating" script, but this is highly unusual in a managed corporate environment. +level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml b/rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml new file mode 100644 index 000000000..610afdb58 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml @@ -0,0 +1,42 @@ +title: Disabling Windows Defender WMI Autologger Session via Reg.exe +id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6 +related: + - id: f37b4bce-49d0-4087-9f5b-58bffda77316 + type: similar +status: experimental +description: | + Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. + By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events + from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique. +references: + - https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/ + - https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ + - https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions +author: Matt Anderson (Huntress) +date: 2025-07-09 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' + selection_reg_path: + CommandLine|contains: + - '\Control\WMI\Autologger\DefenderApiLogger\Start' + - '\Control\WMI\Autologger\DefenderAuditLogger\Start' + selection_reg_add: + CommandLine|contains|all: + - 'add' + - '0' + filter_main_enable: + CommandLine|contains: '0x00000001' + condition: all of selection_* and not 1 of filter_main_* +falsepositives: + - Highly unlikely +level: high diff --git a/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml b/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml new file mode 100644 index 000000000..20febeb39 --- /dev/null +++ b/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml @@ -0,0 +1,26 @@ +title: Delete Defender Scan ShellEx Context Menu Registry Key +id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6 +related: + - id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b + type: similar +status: experimental +description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious. +references: + - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/ + - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/ + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ +author: 'Matt Anderson (Huntress)' +date: 2025-07-11 +tags: + - attack.defense-evasion +logsource: + category: registry_delete + product: windows +detection: + selection: + TargetObject|contains: 'shellex\ContextMenuHandlers\EPP' + condition: selection +falsepositives: + - Unlikely as this weakens defenses and normally would not be done even if using another AV. +level: medium diff --git a/rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml b/rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml new file mode 100644 index 000000000..0450c94df --- /dev/null +++ b/rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml @@ -0,0 +1,40 @@ +title: Windows Defender Threat Severity Default Action Modified +id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f +related: + - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e + type: similar +status: experimental +description: | + Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. + This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, + allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads. +references: + - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference + - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction + - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952 + - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2 + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +author: 'Matt Anderson (Huntress)' +date: 2025-07-11 +tags: + - attack.defense-evasion + - attack.t1562.001 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\' + TargetObject|endswith: + - '\1' # Low severity + - '\2' # Moderate severity + - '\4' # High severity + - '\5' # Severe severity + Details: + - 'DWORD (0x00000006)' # Allow + - 'DWORD (0x00000009)' # NoAction + condition: selection +falsepositives: + - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity. + - Software installations that legitimately modify Defender settings (less common for these specific keys). +level: high