Windows Impair Defense Disable Defender Protocol Recognition

Original Source: [splunk source]
Name:Windows Impair Defense Disable Defender Protocol Recognition
id:b2215bfb-6171-4137-af17-1a02fdd8d043
version:3
date:2024-09-30
author:Teoderick Contreras, Splunk
status:production
type:TTP
Description:The following analytic detects modifications to the Windows registry that disable the Windows Defender protocol recognition feature. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "DisableProtocolRecognition" setting. This activity is significant because disabling protocol recognition can hinder Windows Defender's ability to detect and respond to malware or suspicious software. If confirmed malicious, this action could allow an attacker to bypass antivirus defenses, facilitating further malicious activities such as data exfiltration or system compromise.
Data_source:
  • -Sysmon EventID 12
  • -Sysmon EventID 13
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\NIS\\DisableProtocolRecognition" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_impair_defense_disable_defender_protocol_recognition_filter`


how_to_implement:To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.
known_false_positives:It is unusual to turn this feature off a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.
References:
  -https://x.com/malmoeb/status/1742604217989415386?s=20
  -https://github.com/undergroundwires/privacy.sexy
drilldown_searches:
name:'View the detection results for - "$dest$"'
search:'%original_detection_search% | search dest = "$dest$"'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
name:'View risk events for the last 7 days for - "$dest$"'
search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset:'$info_min_time$'
latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Windows Defense Evasion Tactics'
    - 'Windows Registry Abuse'
  asset_type:Endpoint
  confidence:70
  impact:70
  message:Windows Defender Protocol Recognition set to disable on $dest$.
  mitre_attack_id:
    - 'T1562.001'
    - 'T1562'
  observable:
    name:'dest'
    type:'Endpoint'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  risk_score:49
  required_fields:
    - '_time'
    - 'Registry.registry_key_name'
    - 'Registry.registry_value_name'
    - 'Registry.dest'
    - 'Registry.user'
    - 'Registry.registry_path'
    - 'Registry.action'
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable-windows-security-defender-features/windefender-bypas-2-sysmon.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
manual_test:None