From ccf6c8df38ef8ded5bbc679e73e4ead486b965f5 Mon Sep 17 00:00:00 2001 From: Tran Trung Hieu Date: Mon, 18 Oct 2021 10:07:44 +0400 Subject: [PATCH] Create new rule for detecting Microsfot Defender Tampering via Registry --- .../registry_event_defender_disabled.yml | 11 +++--- ..._defender_realtime_protection_disabled.yml | 36 +++++++++++++++++++ 2 files changed, 43 insertions(+), 4 deletions(-) create mode 100644 rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml index bdff48bab..0d3faa4e0 100644 --- a/rules/windows/registry_event/registry_event_defender_disabled.yml +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -5,12 +5,13 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/09/21 -author: Ján Trenčanský, frack113 +modified: 2021/10/18 +author: Ján Trenčanský, frack113, AlertIQ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -status: test + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +status: experimental tags: - attack.defense_evasion - attack.t1089 # an old one @@ -21,7 +22,9 @@ logsource: detection: tamper_registry: EventType: SetValue - TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' + TargetObject: + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus' Details: 'DWORD (0x00000001)' selection2: TargetObject: diff --git a/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml b/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml new file mode 100644 index 000000000..2eb860fab --- /dev/null +++ b/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml @@ -0,0 +1,36 @@ +title: Windows Defender Real-Time Protection Disabled +id: fd115e64-97c7-491f-951c-fc8da7e042fa +description: Detects disabling Windows Defender Real-Time Protection by modifying registry +date: 2021/10/18 +author: AlertIQ +references: + - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 +status: experimental +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: registry_event +detection: + tamper_registry1: + EventType: SetValue + TargetObject: + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\DisableBlockAtFirstSeen' + Details: 'DWORD (0x00000001)' + tamper_registry2: + EventType: SetValue + TargetObject: + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SpynetReporting' + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent' + Details: 'DWORD (0x00000000)' + condition: tamper_registry1 or tamper_registry2 +falsepositives: + - Administrator actions +level: high \ No newline at end of file