Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_reg_windows_defender_tamper

3description: |

4 Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\reg.exe' || evt.Parsed.OriginalFileName == 'reg.exe') && (evt.Parsed.CommandLine contains 'SOFTWARE\\Microsoft\\Windows Defender\\' || evt.Parsed.CommandLine contains 'SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center' || evt.Parsed.CommandLine contains 'SOFTWARE\\Policies\\Microsoft\\Windows Defender\\') && (evt.Parsed.CommandLine contains ' add ' && evt.Parsed.CommandLine contains 'd 0' && (evt.Parsed.CommandLine contains 'DisallowExploitProtectionOverride' || evt.Parsed.CommandLine contains 'EnableControlledFolderAccess' || evt.Parsed.CommandLine contains 'MpEnablePus' || evt.Parsed.CommandLine contains 'PUAProtection' || evt.Parsed.CommandLine contains 'SpynetReporting' || evt.Parsed.CommandLine contains 'SubmitSamplesConsent' || evt.Parsed.CommandLine contains 'TamperProtection') || evt.Parsed.CommandLine contains ' add ' && evt.Parsed.CommandLine contains 'd 1' && (evt.Parsed.CommandLine contains 'DisableAntiSpyware' || evt.Parsed.CommandLine contains 'DisableAntiSpywareRealtimeProtection' || evt.Parsed.CommandLine contains 'DisableAntiVirus' || evt.Parsed.CommandLine contains 'DisableArchiveScanning' || evt.Parsed.CommandLine contains 'DisableBehaviorMonitoring' || evt.Parsed.CommandLine contains 'DisableBlockAtFirstSeen' || evt.Parsed.CommandLine contains 'DisableConfig' || evt.Parsed.CommandLine contains 'DisableEnhancedNotifications' || evt.Parsed.CommandLine contains 'DisableIntrusionPreventionSystem' || evt.Parsed.CommandLine contains 'DisableIOAVProtection' || evt.Parsed.CommandLine contains 'DisableOnAccessProtection' || evt.Parsed.CommandLine contains 'DisablePrivacyMode' || evt.Parsed.CommandLine contains 'DisableRealtimeMonitoring' || evt.Parsed.CommandLine contains 'DisableRoutinelyTakingAction' || evt.Parsed.CommandLine contains 'DisableScanOnRealtimeEnable' || evt.Parsed.CommandLine contains 'DisableScriptScanning' || evt.Parsed.CommandLine contains 'Notification_Suppress' || evt.Parsed.CommandLine contains 'SignatureDisableUpdateOnStartupWithoutEngine')))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1562.001

16 label: "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE"

17 behavior : "windows:audit"

18 remediation: false

20scope:

21 type: ParentProcessId

22 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_reg_windows_defender_tamper »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1562confidence:1

« proc_creation_win_reg_windows_defender_tamper »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1562confidence:1