fibratus/rules/defense_evasion_windows_defender_protection_tampering_via_registry.yml at master · rabbitstack/fibratus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Windows Defender protection tampering via registry
id: 47ad962b-be0f-44f8-9467-34109f41e5ff
version: 1.0.2
description: |
  Detects suspicious processes modifying Windows Defender configuration settings via registry
  to disable protection features.
labels:
  tactic.id: TA0005
  tactic.name: Defense Evasion
  tactic.ref: https://attack.mitre.org/tactics/TA0005/
  technique.id: T1562
  technique.name: Impair Defenses
  technique.ref: https://attack.mitre.org/techniques/T1562/
  subtechnique.id: T1562.001
  subtechnique.name: Disable or Modify Tools
  subtechnique.ref: https://attack.mitre.org/techniques/T1562/001
references:
  - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

condition: >
  set_value and
  ((base(registry.path) iin
                        (
                          'DisableAntiSpyware',
                          'DisableAntiVirus',
                          'DisableBehaviorMonitoring',
                          'DisableBlockAtFirstSeen',
                          'DisableEnhancedNotifications',
                          'DisableIntrusionPreventionSystem',
                          'DisableIOAVProtection',
                          'DisableOnAccessProtection',
                          'DisableRealtimeMonitoring',
                          'DisableScanOnRealtimeEnable',
                          'DisableScriptScanning',
                          'DisableArchiveScanning',
                          'DisableRawWriteNotification'
                        ) and registry.data = '1') or
    (registry.path imatches
                        (
                          '*\\Windows Defender\\Spynet\\SpyNetReporting',
                          '*\\Windows Defender\\Spynet\\SubmitSamplesConsent',
                          '*\\DisallowExploitProtectionOverride',
                          '*\\Windows Defender\\Features\\TamperProtection',
                          '*\\Windows Defender\\MpEngine\\MpEnablePus'
                        ) and registry.data = '0'
    )
  ) and
  ps.exe not imatches
            (
              '?:\\Program Files\\Symantec\\Symantec Endpoint Protection\\sepWscSvc64.exe',
              '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\ConfigSecurityPolicy.exe',
              '?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe',
              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\NisSrv.exe'
            )
action:
  - name: kill

output: >
  Suspicious process %ps.exe tampered Windows Defender security settings in registry value %registry.path
severity: high

min-engine-version: 3.0.0