← Back to SOC feed Coverage →

Disable Windows Defender Functionalities Via Registry Keys

sigma HIGH SigmaHQ
T1685
imRegistry
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-06-01T11:00:01Z · Confidence: medium

Hunt Hypothesis

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Detection Rule

Sigma (Original)

title: Disable Windows Defender Functionalities Via Registry Keys
id: 0eb46774-f1ab-4a74-8238-1155855f2263
related:
    - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
      type: obsolete
    - id: fd115e64-97c7-491f-951c-fc8da7e042fa
      type: obsolete
status: test
description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
    - https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
date: 2022-08-01
modified: 2024-10-07
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection_main:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows Defender\'
            - '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
            - '\SOFTWARE\Policies\Microsoft\Windows Defender\'
    selection_dword_1:
        TargetObject|endswith:
            - '\DisableAntiSpyware'
            - '\DisableAntiVirus'
            - '\DisableBehaviorMonitoring'
            - '\DisableBlockAtFirstSeen'
            - '\DisableEnhancedNotifications'
            - '\DisableIntrusionPreventionSystem'
            - '\DisableIOAVProtection'
            - '\DisableOnAccessProtection'
            - '\DisableRealtimeMonitoring'
            - '\DisableScanOnRealtimeEnable'
            - '\DisableScriptScanning'
        Details: 'DWORD (0x00000001)'
    selection_dword_0:
        TargetObject|endswith:
            - '\DisallowExploitProtectionOverride'
            - '\Features\TamperProtection'
            - '\MpEngine\MpEnablePus'
            - '\PUAProtection'
            - '\Signature Update\ForceUpdateFromMU'
            - '\SpyNet\SpynetReporting'
            - '\SpyNet\SubmitSamplesConsent'
            - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
        Details: 'DWORD (0x00000000)'
    filter_optional_symantec:
        Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
        Image|endswith: '\sepWscSvc64.exe'
    condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
falsepositives:
    - Administrator actions via the Windows Defender interface
    - Third party Antivirus
level: high

KQL (Azure Sentinel)

imRegistry
| where (RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows Defender*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center*" or RegistryKey endswith "\\SOFTWARE\\Policies\\Microsoft\\Windows Defender*") and (((RegistryKey endswith "\\DisableAntiSpyware" or RegistryKey endswith "\\DisableAntiVirus" or RegistryKey endswith "\\DisableBehaviorMonitoring" or RegistryKey endswith "\\DisableBlockAtFirstSeen" or RegistryKey endswith "\\DisableEnhancedNotifications" or RegistryKey endswith "\\DisableIntrusionPreventionSystem" or RegistryKey endswith "\\DisableIOAVProtection" or RegistryKey endswith "\\DisableOnAccessProtection" or RegistryKey endswith "\\DisableRealtimeMonitoring" or RegistryKey endswith "\\DisableScanOnRealtimeEnable" or RegistryKey endswith "\\DisableScriptScanning") and RegistryValueData =~ "DWORD (0x00000001)") or ((RegistryKey endswith "\\DisallowExploitProtectionOverride" or RegistryKey endswith "\\Features\\TamperProtection" or RegistryKey endswith "\\MpEngine\\MpEnablePus" or RegistryKey endswith "\\PUAProtection" or RegistryKey endswith "\\Signature Update\\ForceUpdateFromMU" or RegistryKey endswith "\\SpyNet\\SpynetReporting" or RegistryKey endswith "\\SpyNet\\SubmitSamplesConsent" or RegistryKey endswith "\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess") and RegistryValueData =~ "DWORD (0x00000000)")) and (not((ActingProcessName startswith "C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\" and ActingProcessName endswith "\\sepWscSvc64.exe")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml