[New Rule] Microsoft Defender Tampering (#1575)
* Create defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit fd824d1fd5)
This commit is contained in:
Austin Songer
committed by
github-actions[bot]
github-actions[bot]
parent
0248772eb1
commit
501489b26c
@@ -0,0 +1,77 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/18"
|
||||
maturity = "production"
|
||||
updated_date = "2021/12/31"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer"]
|
||||
description = """
|
||||
Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft
|
||||
Defender features to evade detection and conceal malicious behavior.
|
||||
"""
|
||||
false_positives = ["Legitimate Windows Defender configuration changes"]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Microsoft Windows Defender Tampering"
|
||||
references = [
|
||||
"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/",
|
||||
"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html",
|
||||
"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html",
|
||||
"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html",
|
||||
"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html",
|
||||
"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html",
|
||||
"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html",
|
||||
"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
registry where event.type in ("creation", "change") and
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection" and
|
||||
registry.data.strings : "0") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" and
|
||||
registry.data.strings : "1") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and
|
||||
registry.data.strings : "1") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features\\TamperProtection" and
|
||||
registry.data.strings : "0") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" and
|
||||
registry.data.strings : "1") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIntrusionPreventionSystem" and
|
||||
registry.data.strings : "1") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScriptScanning" and
|
||||
registry.data.strings : "1") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" and
|
||||
registry.data.strings : "0") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection" and
|
||||
registry.data.strings : "1") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting\\DisableEnhancedNotifications" and
|
||||
registry.data.strings : "1") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\DisableBlockAtFirstSeen" and
|
||||
registry.data.strings : "1") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpynetReporting" and
|
||||
registry.data.strings : "0") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SubmitSamplesConsent" and
|
||||
registry.data.strings : "0") or
|
||||
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" and
|
||||
registry.data.strings : "1")
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1562"
|
||||
name = "Impair Defenses"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
Reference in New Issue
Block a user