Detection rules › Splunk
Windows Defender ASR Registry Modification
The following analytic detects modifications to Windows Defender Attack Surface Reduction (ASR) registry settings. It leverages Windows Defender Operational logs, specifically EventCode 5007, to identify changes in ASR rules. This activity is significant because ASR rules are designed to block actions commonly used by malware to exploit systems. Unauthorized modifications to these settings could indicate an attempt to weaken system defenses. If confirmed malicious, this could allow an attacker to bypass security measures, leading to potential system compromise and data breaches.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Windows-Defender | 5007 |
Stages and Predicates
Stage 1: search
search EventCode=5007
Stage 2: rex
rex field=New_Value ...
Stage 3: rex
rex field=Old_Value ...
Stage 4: rex
rex field=New_Value ...
Stage 5: eval
eval ...
Stage 6: eval
eval ...
Stage 7: stats
stats BY host, New_Value, Old_Value, Old_Registry_Value, New_Registry_Value, ASR_ID
Stage 8: lookup
lookup <lookup> ASR_ID, ASR_Rule, ID
Stage 9: search
search
Stage 10: rename
rename
Stage 11: search
search
Stage 12: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|