From d824585ced358b064d4a7f75ac42f787376c7fcc Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Tue, 20 May 2025 09:01:09 +0000
Subject: [PATCH] page(threat-hunting): Disable Microsoft Defender (Registry)

---
 source/threat-hunting/index.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index d2e1070..608e780 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-05-04
+updated: 2025-05-20
 ---
 
 Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
@@ -609,6 +609,16 @@ index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operatio
 | table Time, host, Path, Username, Name, ScriptBlockText, System_Props_Xml
 ```
 
+## Disable Microsoft Defender (Registry)
+
+References: [1](https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#defense-evasion), [2](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" Registry.registry_path="*\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware", "DisableAntivirus") Registry.registry_value_data="1" BY Registry.dest, Registry.action, Registry.process_guid, Registry.process_id, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data, Registry.user
+| rename Registry.* AS *
+```
+
 ## EvilProxy IoC
 
 Description: A user has possibly visited a phishing site operated behind EvilProxy that reverse proxy to Microsoft sites.