Merge PR SigmaHQ#5037 from @MalGamy12 - Update `Disable Windows Defen…

…der Functionalities Via Registry Keys` update: Disable Windows Defender Functionalities Via Registry Keys - Remove `\Real-Time Protection\` prefix to increase coverage. --------- Co-authored-by: nasbench <[email protected]>
SavinSpring · Oct 8, 2024 · f472015 · f472015
1 parent a997d62
commit f472015
Showing 1 changed file with 12 additions and 11 deletions.
diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml
@@ -15,9 +15,10 @@ references:
     - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
     - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
     - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
+    - https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
 author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
 date: 2022-08-01
-modified: 2024-07-03
+modified: 2024-10-07
 tags:
     - attack.defense-evasion
     - attack.t1562.001
@@ -34,19 +35,19 @@ detection:
         TargetObject|endswith:
             - '\DisableAntiSpyware'
             - '\DisableAntiVirus'
-            - '\Real-Time Protection\DisableBehaviorMonitoring'
-            - '\Real-Time Protection\DisableIntrusionPreventionSystem'
-            - '\Real-Time Protection\DisableIOAVProtection'
-            - '\Real-Time Protection\DisableOnAccessProtection'
-            - '\Real-Time Protection\DisableRealtimeMonitoring'
-            - '\Real-Time Protection\DisableScanOnRealtimeEnable'
-            - '\Real-Time Protection\DisableScriptScanning'
-            - '\Reporting\DisableEnhancedNotifications'
-            - '\SpyNet\DisableBlockAtFirstSeen'
+            - '\DisableBehaviorMonitoring'
+            - '\DisableBlockAtFirstSeen'
+            - '\DisableEnhancedNotifications'
+            - '\DisableIntrusionPreventionSystem'
+            - '\DisableIOAVProtection'
+            - '\DisableOnAccessProtection'
+            - '\DisableRealtimeMonitoring'
+            - '\DisableScanOnRealtimeEnable'
+            - '\DisableScriptScanning'
         Details: 'DWORD (0x00000001)'
     selection_dword_0:
         TargetObject|endswith:
-            - '\App and Browser protection\DisallowExploitProtectionOverride'
+            - '\DisallowExploitProtectionOverride'
             - '\Features\TamperProtection'
             - '\MpEngine\MpEnablePus'
             - '\PUAProtection'