curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): Disable Microsoft Defender (Registry)

This commit is contained in:
Ming Di Leom 2025-05-20 09:01:09 +00:00
parent 16e9e6ac56
commit d824585ced
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
source/threat-hunting/index.md
View File

@ -2,7 +2,7 @@
title: Splunk Threat Hunting title: Splunk Threat Hunting
layout: page layout: page
date: 2025-01-15 date: 2025-01-15
updated: 2025-05-04 updated: 2025-05-20
--- ---
Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup. Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
@ -609,6 +609,16 @@ index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operatio
| table Time, host, Path, Username, Name, ScriptBlockText, System_Props_Xml | table Time, host, Path, Username, Name, ScriptBlockText, System_Props_Xml
``` ```
## Disable Microsoft Defender (Registry)
References: [1](https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#defense-evasion), [2](https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Registry WHERE index="windows" Registry.registry_path="*\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware", "DisableAntivirus") Registry.registry_value_data="1" BY Registry.dest, Registry.action, Registry.process_guid, Registry.process_id, Registry.registry_path, Registry.registry_value_name, Registry.registry_value_data, Registry.user
| rename Registry.* AS *
```
## EvilProxy IoC ## EvilProxy IoC
Description: A user has possibly visited a phishing site operated behind EvilProxy that reverse proxy to Microsoft sites. Description: A user has possibly visited a phishing site operated behind EvilProxy that reverse proxy to Microsoft sites.