Name:Windows Impair Defense Delete Win Defender Context Menu id:395ed5fe-ad13-4366-9405-a228427bdd91 version:3 date:2024-10-17 author:Teoderick Contreras, Splunk status:production type:Hunting Description:The following analytic detects the deletion of the Windows Defender context menu entry from the registry. It leverages data from the Endpoint datamodel, specifically monitoring registry actions where the path includes "*\\shellex\\ContextMenuHandlers\\EPP" and the action is 'deleted'. This activity is significant as it is commonly associated with Remote Access Trojan (RAT) malware attempting to disable security features. If confirmed malicious, this could allow an attacker to impair defenses, facilitating further malicious activities such as unauthorized access, persistence, and data exfiltration. Data_source:
-Sysmon EventID 12
-Sysmon EventID 13
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\shellex\\ContextMenuHandlers\\EPP" Registry.action = deleted by Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.action Registry.dest Registry.user | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_delete_win_defender_context_menu_filter`
how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. known_false_positives:It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search. References: -https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ -https://app.any.run/tasks/45f5d114-91ea-486c-ab01-41c4093d2861/ drilldown_searches:
: tags: analytic_story: - 'Windows Defense Evasion Tactics' - 'Windows Registry Abuse' asset_type:Endpoint confidence:50 impact:50 message:Windows Defender context menu registry key deleted on $dest$. mitre_attack_id: - 'T1562.001' - 'T1562' observable: name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Registry.registry_key_name' - 'Registry.registry_value_name' - 'Registry.dest' - 'Registry.user' - 'Registry.registry_path' - 'Registry.action' risk_score:25 security_domain:endpoint
