Create new rule for detecting Microsfot Defender Tampering via Registry

rules/windows/registry_event/registry_event_defender_disabled.yml

@@ -5,12 +5,13 @@ related:
       type: derived
 description: Detects disabling Windows Defender threat protection
 date: 2020/07/28
-modified: 2021/09/21
-author: Ján Trenčanský, frack113
+modified: 2021/10/18
+author: Ján Trenčanský, frack113, AlertIQ
 references:
     - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
-status: test
+    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+status: experimental
 tags:
     - attack.defense_evasion
     - attack.t1089           # an old one
@@ -21,7 +22,9 @@ logsource:
 detection:
     tamper_registry:
         EventType: SetValue
-        TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware'
+        TargetObject: 
+            - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware'
+            - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus'
         Details: 'DWORD (0x00000001)'
     selection2:
         TargetObject:

rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml

@@ -0,0 +1,36 @@
+title: Windows Defender Real-Time Protection Disabled
+id: fd115e64-97c7-491f-951c-fc8da7e042fa
+description: Detects disabling Windows Defender Real-Time Protection by modifying registry
+date: 2021/10/18
+author: AlertIQ
+references:
+    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 
+status: experimental
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    tamper_registry1:
+        EventType: SetValue
+        TargetObject: 
+          - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring'
+          - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection'
+          - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection'
+          - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring'
+          - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable'
+          - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen'
+        Details: 'DWORD (0x00000001)'
+    tamper_registry2:
+        EventType: SetValue
+        TargetObject: 
+          - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting'
+          - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent'
+        Details: 'DWORD (0x00000000)'
+    condition: tamper_registry1 or tamper_registry2
+falsepositives:
+    - Administrator actions
+level: high