Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND ((PROCESSNAME endswith "\reg.exe" OR ORIGINALFILENAME = "reg.exe") AND COMMANDLINE contains "SOFTWARE\Microsoft\Windows Defender\,SOFTWARE\Policies\Microsoft\Windows Defender Security Center,SOFTWARE\Policies\Microsoft\Windows Defender") AND (((COMMANDLINE contains " add " AND COMMANDLINE contains "d 0") AND COMMANDLINE contains "DisallowExploitProtectionOverride,EnableControlledFolderAccess,MpEnablePus,PUAProtection,SpynetReporting,SubmitSamplesConsent,TamperProtection") OR ((COMMANDLINE contains " add " AND COMMANDLINE contains "d 1") AND COMMANDLINE contains "DisableAccess,DisableAntiSpyware,DisableAntiSpywareRealtimeProtection,DisableAntiVirus,DisableAntiVirusSignatures,DisableArchiveScanning,DisableBehaviorMonitoring,DisableBlockAtFirstSeen,DisableCloudProtection,DisableConfig,DisableEnhancedNotifications,DisableIntrusionPreventionSystem,DisableIOAVProtection,DisableNetworkProtection,DisableOnAccessProtection,DisablePrivacyMode,DisableRealtimeMonitoring,DisableRoutinelyTakingAction,DisableScanOnRealtimeEnable,DisableScriptScanning,DisableSecurityCenter,Notification_Suppress,SignatureDisableUpdateOnStartupWithoutEngine")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
