IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.1] Detections and alerts Prebuilt rule reference
« Microsoft IIS Service Account Password Dumped Mimikatz Memssp Log File Detected »

Microsoft Windows Defender Tamperingedit

Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper Microsoft Defender features to evade detection and conceal malicious behavior.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 2 (version history)

Added (Elastic Stack release): 8.0.0

Last modified (Elastic Stack release): 8.1.0

Rule authors: Austin Songer

Rule license: Elastic License v2

Potential false positivesedit

Legitimate Windows Defender configuration changes

Rule queryedit

registry where event.type in ("creation", "change") and
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\PUAProtection" and registry.data.strings : ("0",
"0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security
Center\\App and Browser protection\\DisallowExploitProtectionOverride"
and registry.data.strings : ("1", "0x00000001")) or (registry.path
: "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\DisableAntiSpyware" and registry.data.strings : ("1",
"0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Features\\TamperProtection" and registry.data.strings :
("0", "0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableRealtimeMonitoring" and registry.data.strings :
("1", "0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIntrusionPreventionSystem" and
registry.data.strings : ("1", "0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableScriptScanning" and registry.data.strings : ("1",
"0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows
Defender Exploit Guard\\Controlled Folder
Access\\EnableControlledFolderAccess" and registry.data.strings :
("0", "0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIOAVProtection" and registry.data.strings : ("1",
"0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Reporting\\DisableEnhancedNotifications" and
registry.data.strings : ("1", "0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\DisableBlockAtFirstSeen" and registry.data.strings
: ("1", "0x00000001")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SpynetReporting" and registry.data.strings : ("0",
"0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SubmitSamplesConsent" and registry.data.strings :
("0", "0x00000000")) or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableBehaviorMonitoring" and registry.data.strings :
("1", "0x00000001"))

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 2 (8.1.0 release)

  • Updated query, changed from:

    registry where event.type in ("creation", "change") and
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\PUAProtection" and registry.data.strings : "0") or
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender Security Center\\App and Browser
protection\\DisallowExploitProtectionOverride" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\DisableAntiSpyware" and registry.data.strings : "1") or
(registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Features\\TamperProtection" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableRealtimeMonitoring" and registry.data.strings :
"1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIntrusionPreventionSystem" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableScriptScanning" and registry.data.strings : "1")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Windows Defender Exploit Guard\\Controlled Folder
Access\\EnableControlledFolderAccess" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableIOAVProtection" and registry.data.strings : "1")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\Reporting\\DisableEnhancedNotifications" and
registry.data.strings : "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\DisableBlockAtFirstSeen" and registry.data.strings
: "1") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SpynetReporting" and registry.data.strings : "0")
or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows
Defender\\SpyNet\\SubmitSamplesConsent" and registry.data.strings :
"0") or (registry.path :
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time
Protection\\DisableBehaviorMonitoring" and registry.data.strings :
"1")
« Microsoft IIS Service Account Password Dumped Mimikatz Memssp Log File Detected »