detection.wiki

Detection rules › Sigma

Disable Windows Defender Functionalities Via Registry Keys

Severity
high
Author
AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
Source
upstream

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection_main

or:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows Defender\'
TargetObject|contains: '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
TargetObject|contains: '\SOFTWARE\Policies\Microsoft\Windows Defender\'

Stage 2: 1 of selection_dword_1

or:
TargetObject|endswith: '\DisableAntiSpyware'
TargetObject|endswith: '\DisableAntiVirus'
TargetObject|endswith: '\DisableBehaviorMonitoring'
TargetObject|endswith: '\DisableBlockAtFirstSeen'
TargetObject|endswith: '\DisableEnhancedNotifications'
TargetObject|endswith: '\DisableIOAVProtection'
TargetObject|endswith: '\DisableIntrusionPreventionSystem'
TargetObject|endswith: '\DisableOnAccessProtection'
TargetObject|endswith: '\DisableRealtimeMonitoring'
TargetObject|endswith: '\DisableScanOnRealtimeEnable'
TargetObject|endswith: '\DisableScriptScanning'
Details: 'DWORD (0x00000001)'

Stage 3: 1 of selection_dword_0

or:
TargetObject|endswith: '\DisallowExploitProtectionOverride'
TargetObject|endswith: '\Features\TamperProtection'
TargetObject|endswith: '\MpEngine\MpEnablePus'
TargetObject|endswith: '\PUAProtection'
TargetObject|endswith: '\Signature Update\ForceUpdateFromMU'
TargetObject|endswith: '\SpyNet\SpynetReporting'
TargetObject|endswith: '\SpyNet\SubmitSamplesConsent'
TargetObject|endswith: '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
Details: 'DWORD (0x00000000)'

Stage 4: not 1 of filter_optional_symantec

Image|endswith: '\sepWscSvc64.exe'
Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00000000) corpus 38 (sigma 38)
  • DWORD (0x00000001) corpus 37 (sigma 37)
Imageends_with
  • \sepWscSvc64.exe
Imagestarts_with
  • C:\Program Files\Symantec\Symantec Endpoint Protection\
TargetObjectends_with
  • \DisableAntiSpyware
  • \DisableAntiVirus
  • \DisableBehaviorMonitoring
  • \DisableBlockAtFirstSeen
  • \DisableEnhancedNotifications
  • \DisableIOAVProtection
  • \DisableIntrusionPreventionSystem
  • \DisableOnAccessProtection
  • \DisableRealtimeMonitoring
  • \DisableScanOnRealtimeEnable
  • \DisableScriptScanning
  • \DisallowExploitProtectionOverride
  • \Features\TamperProtection
  • \MpEngine\MpEnablePus
  • \PUAProtection
  • \Signature Update\ForceUpdateFromMU
  • \SpyNet\SpynetReporting
  • \SpyNet\SubmitSamplesConsent
  • \Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess
TargetObjectmatch
  • \SOFTWARE\Microsoft\Windows Defender\
  • \SOFTWARE\Policies\Microsoft\Windows Defender Security Center\
  • \SOFTWARE\Policies\Microsoft\Windows Defender\