
Summary
This detection rule analyzes modifications made to the Windows registry, specifically targeting a key that governs Windows Defender's infection reporting capabilities. The key in question, 'DontReportInfectionInformation', when set to '1', disables Windows Defender's reporting feature, potentially allowing malware to evade detection. This is a significant concern because it may enable attackers to bypass security measures and maintain persistence on compromised systems. The rule utilizes SyMON Event IDs 12 and 13, focusing on tracking any changes to the registry that indicate alterations to security settings. A successful match would suggest an attempt to undermine Windows Defender's protective functionalities, which is critical for maintaining the security integrity of Windows environments.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Process
ATT&CK Techniques
- T1562.001
- T1562
Created: 2024-11-13