Hunting Malicious Windows Defender Activity

April 10, 2020 Craig Fretwell

Recently I was demoing Azure Sentinel to a large organization, and someone asked me, “What if an attacker manages to compromise my system and disables Windows Defender?”

Well…what if they do? How can we flag this, investigate and remediat? Why would someone intentionally disable anti-malware protection? I’ve written this blog to hopefully help you combat and protect yourself from this type of scenario.

Below are some basic prerequisites to be comfortable following this blog:

Prerequisites & Assumptions:

• Azure Experience (essential)
• IT Security Experience (essential)
• Log Analytics (essential)
• Azure Sentinel (essential)
• A Physical Asset or Virtual Machine (essential)
• PowerShell (Not essential)

First, let’s configure our Log Analytics workspace (which Sentinel reports to). This will collect all the data for what we’re going to be querying in relation to Windows Defender activity. We’re looking to collect data on any anti-malware events from Microsoft Antimalware or Windows Defender.

Type “Microsoft-Windows-Windows Defender/Operational” – then tick Error, Warning & Information and click Save.

1

Once this is saved, it will take approximately 15 minutes to start collecting the data from your VM to Log Analytics.

Let’s jump over to our Sentinel Workspace, and Click Logs.

We can test that our Windows Defender is reporting by running a simple query which the EventID 1150 will report on the Endpoint Protection being in a healthy state.

1
2
3
Event
| where EventID == 1150
| order by TimeGenerated desc

2

Now we need to write a query which will alert us if any configuration changes happen on Windows Defender. Before we create our Analytic Rule, we need to create a Logic App/Playbook which will alert us via an email that Windows Defender has had some configuration changes. Let’s go to Playbook and click “Add Playbook” give your playbook a name and click Create. Then select “Blank Logic App”.

3

I’d like to receive and email when Sentinel picks up this alert, so I search “Sentinel” within the connections and triggers bar.

4

At the time of writing this there is only 1 Trigger for Sentinel.

5

Make your connection to Sentinel.

6

Next click + New Step and search for YOUR email action. For me, I’ll be using Outlook.com.

Fill in the Body, Subject and To sections with whichever information you’d like to be emailed once an alert is triggered.

I’ve done some basic formatting inside the body of the email, so my email alert makes sense and is laid out nicely.

7

Click Save. We can now attach our playbook to the security query. For us to be notified of this, we need to create a Scheduled Analytic Query Rule, so let’s go to our Sentinel Dashboard and click “Analytics” and creat a new rule.

8

9

I’m only just interested in obtaining information on the following IDs that have any relevance to being disabled are expired:

Event ID: 5101
Symbolic name: MALWAREPROTECTION_DISABLED_EXPIRED_STATE

Event ID: 5012
Symbolic name: MALWAREPROTECTION_ANTIVIRUS_DISABLED

Event ID: 5010
Symbolic name: MALWAREPROTECTION_ANTISPYWARE_DISABLED

Event ID: 5001
Symbolic name: MALWAREPROTECTION_RTP_DISABLED
Realistically these ID’s should never appear, if they do…you know something is wrong.

So once we’ve captured the Event IDs, we need to enter these into our Rule Logic. This will be our query, which is below.

1
2
3
Event
| where EventID in (5101, 5001, 5012, 5010)
| order by TimeGenerated desc

10

For now, I’ll have the ability for alerts to trigger incidents, and this way I get it displayed onto my dashboard screen.

11

Let’s select are recently created Playbook above.

12

Next click Review and Create.

13

Now let’s get into the exciting portion. Below is a few lines of simple PowerShell that will disable Microsoft Windows Defender. *NOTE* please don’t use this on a production VM or your own machine!

Before that, we can see that Defender has a green tick, meaning it is all healthy and running nicely.

14
So let’s execute the code below:

1
2
3
4
5
Set-ExecutionPolicy Unrestricted -Force
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableRemovableDriveScanning $true
Set-MpPreference -PUAProtection 1
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -PropertyType DWORD -Force

Now after running the code, you should see a bunch of pop-ups, notifying you that Defender isn’t running and it should turn red (or have a red X).

15

16

Let’s hop back to our Sentinel dashboard and check the situation out.

So we can see straight away that our Incident blade in Sentinel has captured the Analytic alert we’ve configured.

17

And after about 1 minute, an email lands in my inbox.

18

Coupling all of the above will help defend how you alert and respond too Malicious Defender Activity with Azure Sentinel. Please reach out to New Signature if you’re concerned about the security landscape of your Azure environment.

Previous Article
Cloning Test Plans Between Team Projects in Azure DevOps
Cloning Test Plans Between Team Projects in Azure DevOps

Azure DevOps, and TFS/VSTS before it, has always had an interesting problem with Team Projects.  The recomm...

Next Article
Microsoft 365 and You: Using the Proper Tools and Optimizing Your Investment
Microsoft 365 and You: Using the Proper Tools and Optimizing Your Investment

Microsoft 365 is jam-packed with useful tools and benefits for each work style and for each communication p...