detection.wiki

Detection rules › Splunk

Windows Impair Defenses Disable AV AutoStart via Registry

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects modifications to the registry related to the disabling of autostart functionality for certain antivirus products, such as Kingsoft and Tencent. Malware like ValleyRAT may alter specific registry keys to prevent these security tools from launching automatically at startup, thereby weakening system defenses. By monitoring changes in the registry entries associated with antivirus autostart settings, this detection enables security analysts to identify attempts to disable protective software. Detecting these modifications early is critical for maintaining system integrity and preventing further compromise by malicious actors.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: tstats

tstats WHERE ((Registry.registry_value_data="0x00000000" Registry.registry_value_name IN ("WindhunterSwitch", "autostart", "kxesc")) OR (Registry.registry_value_data="0x00000004" Registry.registry_value_name="WindhunterLevel")) Registry.registry_path IN ("*\\Tencent\\QQPCMgr\\*", "*\\kingsoft\\antivirus\\KAVReport\\*", "*\\kingsoft\\antivirus\\KSetting\\*", "*\\kingsoft\\antivirus\\Windhunter\\*") BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product

Stage 2: search

search

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Registry.registry_pathin
  • "*\\Tencent\\QQPCMgr\\*"
  • "*\\kingsoft\\antivirus\\KAVReport\\*"
  • "*\\kingsoft\\antivirus\\KSetting\\*"
  • "*\\kingsoft\\antivirus\\Windhunter\\*"
Registry.registry_value_dataeq
  • "0x00000000" corpus 27 (splunk 27)
  • "0x00000004"
Registry.registry_value_nameeq
  • "WindhunterLevel"
Registry.registry_value_namein
  • "WindhunterSwitch"
  • "autostart"
  • "kxesc"