heroui logo

Windows Impair Defense Disable Realtime Signature Delivery

Splunk Security Content

View Source
Summary
This detection rule identifies modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature. The analytic utilizes data collected from Sysmon EventID 12 and EventID 13, which track changes in the Windows registry. A specific focus is placed on monitoring the registry path associated with Windows Defender signature updates. Disabling real-time signature delivery is critical because it hinders Windows Defender’s ability to receive updates for malware definitions in a timely manner. This vulnerability could potentially allow attackers to disable proactive malware detection and increase the risk of system compromise. The search query used in the rule extracts information from the Endpoint.Registry data model, looking for instances where the registry value for RealtimeSignatureDelivery is set to "0x00000000". As such, this rule is essential for early detection of modifications that align with common Windows defense evasion tactics.
Categories
  • Endpoint
Data Sources
  • Windows Registry
  • Script
ATT&CK Techniques
  • T1562.001
  • T1562
Created: 2024-11-13