An adversary may disable antivirus software to prevent detection of malicious activities, thereby increasing the likelihood of successful persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
YARA Rule
rule disable_antivirus {
meta:
author = "x0r"
description = "Disable AntiVirus"
version = "0.2"
strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase
$p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase
$p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase
$c1 = "RegSetValue"
$r1 = "AntiVirusDisableNotify"
$r2 = "DontReportInfectionInformation"
$r3 = "DisableAntiSpyware"
$r4 = "RunInvalidSignatures"
$r5 = "AntiVirusOverride"
$r6 = "CheckExeSignatures"
$f1 = "blackd.exe" nocase
$f2 = "blackice.exe" nocase
$f3 = "lockdown.exe" nocase
$f4 = "lockdown2000.exe" nocase
$f5 = "taskkill.exe" nocase
$f6 = "tskill.exe" nocase
$f7 = "smc.exe" nocase
$f8 = "sniffem.exe" nocase
$f9 = "zapro.exe" nocase
$f10 = "zlclient.exe" nocase
$f11 = "zonealarm.exe" nocase
condition:
($c1 and $p1 and 1 of ($f*)) or ($c1 and $p2) or 1 of ($r*) or $p3
}This YARA rule can be deployed in the following contexts:
This rule contains 21 string patterns in its detection logic.
Scenario: System Maintenance Task to Temporarily Disable Antivirus for Patching
Filter/Exclusion: process.name != "Windows Defender" && process.name != "Microsoft Defender Antivirus"
Explanation: Legitimate maintenance tasks may temporarily disable antivirus to apply updates, but these actions are typically performed by system administrators using known tools.
Scenario: Scheduled Job to Perform Virus Scan Optimization
Filter/Exclusion: process.name != "Windows Defender" && process.name != "Microsoft Defender Antivirus" && event_id != 12
Explanation: Some scheduled jobs may disable antivirus to optimize scan performance, but these are usually logged with specific event IDs that can be excluded.
Scenario: Admin Task to Disable Antivirus for Compliance Testing
Filter/Exclusion: process.name != "Windows Defender" && process.name != "Microsoft Defender Antivirus" && user.name != "Administrator"
Explanation: System administrators may disable antivirus temporarily for testing, but these actions are typically performed by the admin account and can be filtered out.
Scenario: Third-Party Security Tool Integration or Configuration Change
Filter/Exclusion: process.name != "Windows Defender" && process.name != "Microsoft Defender Antivirus" && process.name != "Bitdefender" && process.name != "Kaspersky" && process.name != "Norton" && process.name != "McAfee"
Explanation: When integrating or configuring third-party security tools, they may interact with the OS’s antivirus services, which can be excluded by filtering out known security software.
Scenario: User-Initiated Antivirus Disable via GUI or Command Line
Filter/Exclusion: user.name != "Administrator" && user.name != "Domain Admins"
Explanation: Non-admin users may attempt to disable antivirus, but such actions are typically blocked or logged. Filtering by admin users can