detection.wiki

Detection rules › Sigma

Suspicious Windows Defender Registry Key Tampering Via Reg.EXE

Severity
high
Author
Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_root_img

or:
Image|endswith: '\reg.exe'
OriginalFileName: reg.exe

Stage 2: all of selection_root_path

or:
CommandLine|contains: 'SOFTWARE\Microsoft\Windows Defender\'
CommandLine|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
CommandLine|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender\'

Stage 3: 1 of selection_dword_0

or:
CommandLine|contains: 'DisallowExploitProtectionOverride'
CommandLine|contains: EnableControlledFolderAccess
CommandLine|contains: MpEnablePus
CommandLine|contains: PUAProtection
CommandLine|contains: SpynetReporting
CommandLine|contains: SubmitSamplesConsent
CommandLine|contains: TamperProtection
CommandLine|contains: ' add '
CommandLine|contains: 'd 0'

Stage 4: 1 of selection_dword_1

or:
CommandLine|contains: DisableAccess
CommandLine|contains: DisableAntiSpyware
CommandLine|contains: 'DisableAntiSpywareRealtimeProtection'
CommandLine|contains: DisableAntiVirus
CommandLine|contains: DisableAntiVirusSignatures
CommandLine|contains: DisableArchiveScanning
CommandLine|contains: DisableBehaviorMonitoring
CommandLine|contains: DisableBlockAtFirstSeen
CommandLine|contains: DisableCloudProtection
CommandLine|contains: DisableConfig
CommandLine|contains: DisableEnhancedNotifications
CommandLine|contains: DisableIOAVProtection
CommandLine|contains: DisableIntrusionPreventionSystem
CommandLine|contains: DisableNetworkProtection
CommandLine|contains: DisableOnAccessProtection
CommandLine|contains: DisablePrivacyMode
CommandLine|contains: DisableRealtimeMonitoring
CommandLine|contains: DisableRoutinelyTakingAction
CommandLine|contains: DisableScanOnRealtimeEnable
CommandLine|contains: DisableScriptScanning
CommandLine|contains: DisableSecurityCenter
CommandLine|contains: Notification_Suppress
CommandLine|contains: 'SignatureDisableUpdateOnStartupWithoutEngine'
CommandLine|contains: ' add '
CommandLine|contains: 'd 1'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • add corpus 11 (sigma 11)
  • DisableAccess
  • DisableAntiSpyware
  • DisableAntiSpywareRealtimeProtection
  • DisableAntiVirus
  • DisableAntiVirusSignatures
  • DisableArchiveScanning
  • DisableBehaviorMonitoring
  • DisableBlockAtFirstSeen
  • DisableCloudProtection
  • DisableConfig
  • DisableEnhancedNotifications
  • DisableIOAVProtection
  • DisableIntrusionPreventionSystem
  • DisableNetworkProtection
  • DisableOnAccessProtection
  • DisablePrivacyMode
  • DisableRealtimeMonitoring
  • DisableRoutinelyTakingAction
  • DisableScanOnRealtimeEnable
  • DisableScriptScanning
  • DisableSecurityCenter
  • DisallowExploitProtectionOverride
  • EnableControlledFolderAccess
  • MpEnablePus
  • Notification_Suppress
  • PUAProtection
  • SOFTWARE\Microsoft\Windows Defender\
  • SOFTWARE\Policies\Microsoft\Windows Defender Security Center
  • SOFTWARE\Policies\Microsoft\Windows Defender\
  • SignatureDisableUpdateOnStartupWithoutEngine
  • SpynetReporting
  • SubmitSamplesConsent
  • TamperProtection
  • d 0
  • d 1
Imageends_with
  • \reg.exe corpus 46 (sigma 46)
OriginalFileNameeq
  • reg.exe corpus 29 (sigma 29)