/
windows_impair_defense_disable_realtime_signature_delivery.yml
70 lines (70 loc) · 3.09 KB
/
windows_impair_defense_disable_realtime_signature_delivery.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Windows Impair Defense Disable Realtime Signature Delivery
id: ffd99aea-542f-448e-b737-091c1b417274
version: 1
date: '2024-01-08'
author: Teoderick Contreras, Splunk
status: production
type: TTP
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
description: The following analytic identifies a modification in the Windows registry to disable windows defender
realtime signature delivery feature. This setting governs how Windows Defender Antivirus receives updated signature
definitions for identifying and combating malware threats in real-time. The actual impact and behaviors associated
with different values for RealtimeSignatureDelivery can vary based on specific Windows Defender configurations and policies.
For instance, setting this value to 0 or 1 might control whether real-time signatures are delivered via different methods
such as through Windows Update or directly from Microsoft's cloud-based services.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Signature Updates\\RealtimeSignatureDelivery"
Registry.registry_value_data="0x00000000"
by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_impair_defense_disable_realtime_signature_delivery_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Registry` node.
known_false_positives: It is unusual to turn this feature off a Windows system since
it is a default security control, although it is not rare for some policies to disable
it. Although no false positives have been identified, use the provided filter macro
to tune the search.
references:
- https://x.com/malmoeb/status/1742604217989415386?s=20
- https://github.com/undergroundwires/privacy.sexy
tags:
analytic_story:
- Windows Defense Evasion Tactics
- Windows Registry Abuse
asset_type: Endpoint
confidence: 70
impact: 70
message: Windows Defender File realtime signature delivery set to disable on $dest$.
mitre_attack_id:
- T1562.001
- T1562
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 49
required_fields:
- _time
- Registry.registry_key_name
- Registry.registry_value_name
- Registry.dest
- Registry.user
- Registry.registry_path
- Registry.action
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog