/
windows_impair_defense_disable_controlled_folder_access.yml
71 lines (71 loc) · 3.21 KB
/
windows_impair_defense_disable_controlled_folder_access.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Windows Impair Defense Disable Controlled Folder Access
id: 3032741c-d6fc-4c69-8988-be8043d6478c
version: 1
date: '2024-01-08'
author: Teoderick Contreras, Splunk
status: production
type: TTP
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
description: The following analytic identifies a modification in the Windows registry to disable Windows Defender
Controlled Folder Access feature. The EnableControlledFolderAccess registry setting is associated with the Controlled
Folder Access feature in Windows Defender. Controlled Folder Access is a security feature designed to protect certain
folders from unauthorized access or modification by malicious applications, including ransomware.
When EnableControlledFolderAccess is set to 0, it usually indicates that the Controlled Folder Access feature
within Windows Defender is not active. Consequently, the protection mechanism for the specified folders against
unauthorized access by potentially malicious applications or ransomware is not enabled.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess"
Registry.registry_value_data="0x00000000"
by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_impair_defense_disable_controlled_folder_access_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Registry` node.
known_false_positives: It is unusual to turn this feature off a Windows system since
it is a default security control, although it is not rare for some policies to disable
it. Although no false positives have been identified, use the provided filter macro
to tune the search.
references:
- https://x.com/malmoeb/status/1742604217989415386?s=20
- https://github.com/undergroundwires/privacy.sexy
tags:
analytic_story:
- Windows Defense Evasion Tactics
- Windows Registry Abuse
asset_type: Endpoint
confidence: 70
impact: 70
message: Windows Defender ControlledFolderAccess feature set to disable on $dest$.
mitre_attack_id:
- T1562.001
- T1562
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 49
required_fields:
- _time
- Registry.registry_key_name
- Registry.registry_value_name
- Registry.dest
- Registry.user
- Registry.registry_path
- Registry.action
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog