/
disable_defender_spynet_reporting.yml
71 lines (71 loc) · 2.57 KB
/
disable_defender_spynet_reporting.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Disable Defender Spynet Reporting
id: 898debf4-3021-11ec-ba7c-acde48001122
version: 4
date: '2023-12-27'
author: Steven Dick, Teoderick Contreras, Splunk
status: production
type: TTP
description: This analytic is intended to detect a suspicious modification of registry
to disable Windows Defender feature. This technique is intended to bypass or evade
detection from Windows Defender AV product, specifically the spynet reporting for
Defender telemetry.
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name
= SpynetReporting Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path
Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data
Registry.process_guid Registry.user Registry.dest | `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `disable_defender_spynet_reporting_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the registry value name, registry path, and registry value data from your
endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
Sysmon TA. https://splunkbase.splunk.com/app/5709
known_false_positives: admin or user may choose to disable windows defender product
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
tags:
analytic_story:
- Azorult
- Windows Registry Abuse
- Qakbot
- IcedID
- CISA AA23-347A
asset_type: Endpoint
confidence: 70
impact: 70
message: modified/added/deleted registry entry $registry_path$ in $dest$
mitre_attack_id:
- T1562.001
- T1562
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Registry.dest
- Registry.registry_value_name
- Registry.registry_key_name
- Registry.registry_path
- Registry.registry_value_data
- Registry.process_guid
risk_score: 49
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/icedid/disable_av/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog