Windows Defender Definition Files Removed

About the rule

Rule Type

Standard

Rule Description

Windows Defender is an inbuilt antivirus and antimalware software on Windows systems. Windows Defender Definition Files are libraries that store information about malware code and known malware signatures that help Windows Defender identify known threats in the system. These files can be removed by attackers to hinder the capacity of Windows Defender to detect malware signatures, allowing them to evade detection. This rule detects such attempts to remove the Windows Defender Definition Files.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Privilege Escalation → Defense Evasion → Impair Defenses → Disable Windows Defender Definition Files

Impact

• System compromise
• Defense evasion
• Persistence

Rule Requirement

Prerequisites

• Windows Event Viewer

Log in to a domain controller with domain admin credentials and open the Group Policy Management Console. Create or edit a Group Policy Object linked to the appropriate organizational unit. Enable auditing for process creation and process termination events, ensuring success events are logged. For enhanced process tracking, enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

• Sysmon

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Impair Defenses - Disable or Modify Tools (T1562.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.

When this rule is triggered, you're notified of attempts to remove Windows Defender Definition Files. This allows you to identify suspicious activities and attempts to tamper with Windows antimalware tools to evade detection.

Author

frack113

Future actions

Known False Positives

This rule might be triggered when administrators disable Windows Defender files to troubleshoot system issues or carry out routine check-ups.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit Windows activities: Continuously monitor Windows system events to identify malicious activities and scrutinize events to detect suspicious processes masquerading as legitimate ones.

Mitigation