/
windows_impair_defense_change_win_defender_health_check_intervals.yml
71 lines (71 loc) · 3.22 KB
/
windows_impair_defense_change_win_defender_health_check_intervals.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Windows Impair Defense Change Win Defender Health Check Intervals
id: 5211c260-820e-4366-b983-84bbfb5c263a
version: 1
date: '2024-01-08'
author: Teoderick Contreras, Splunk
status: production
type: TTP
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
description: The following analytic identifies a modification in the Windows registry to change the health check interval of Windows Defender.
Specifically, a value of 1 typically signifies that Windows Defender would perform health checks at a much higher frequency than the default settings.
However, it's important to note that modifying this value to 1 might not necessarily conform to the actual behavior, as certain registry settings may
have specific accepted values or a defined range that differs from a simple binary representation.
Changing registry values, especially those related to system services, should be approached cautiously.
Incorrect modifications can potentially impact system stability or performance. Always ensure you understand the implications and
have a backup before altering registry settings.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\ServiceKeepAlive"
Registry.registry_value_data="0x00000001"
by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_impair_defense_change_win_defender_health_check_intervals_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Registry` node.
known_false_positives: It is unusual to turn this feature off a Windows system since
it is a default security control, although it is not rare for some policies to disable
it. Although no false positives have been identified, use the provided filter macro
to tune the search.
references:
- https://x.com/malmoeb/status/1742604217989415386?s=20
- https://github.com/undergroundwires/privacy.sexy
tags:
analytic_story:
- Windows Defense Evasion Tactics
- Windows Registry Abuse
asset_type: Endpoint
confidence: 70
impact: 70
message: change in the health check interval of Windows Defender on $dest$.
mitre_attack_id:
- T1562.001
- T1562
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 49
required_fields:
- _time
- Registry.registry_key_name
- Registry.registry_value_name
- Registry.dest
- Registry.user
- Registry.registry_path
- Registry.action
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog