Malware that actively disables Windows Defender

[TheFlyingCorpse]

Longtime sysadmin here. I came across some malware which actively was deactivating features in registry for defender, adding exclusions, killing tools to trace what was going on.

any suggestions for how to deal with this when I want to learn more, and how to protect / remediate in case reinstall isn’t an option?

[lurto]

A little while back, I was doing some vulnerablity research on the same topic. I wanted to automate the disabling of Microsoft Defendre via a rubber ducky.

I my research every the anti tamper protection kicks in before you can change anything important. If I remember correctly even with NT/System user in a cmd, the tamper protection would kick in. The only way to disable it was by hand in th GUI.

Microsoft also patched the exlusions in registry, because in the wild malware was taking advantage of it.

So, the tamper protection is the only way I can see for those scenarios. A good enough EDR that has some machine learing and bevaiour analzing is a big plus too. 

If you don't want to reinstall the system you have to indentfy the malware and find a tutorial/sandbox that shows every thing the malware has done. The docs from Trend Micro for that are pretty good.

[TheFlyingCorpse]

2 hours ago, lurto said:

A little while back, I was doing some vulnerablity research on the same topic. I wanted to automate the disabling of Microsoft Defendre via a rubber ducky.

I my research every the anti tamper protection kicks in before you can change anything important. If I remember correctly even with NT/System user in a cmd, the tamper protection would kick in. The only way to disable it was by hand in th GUI.

Microsoft also patched the exlusions in registry, because in the wild malware was taking advantage of it.

So, the tamper protection is the only way I can see for those scenarios. A good enough EDR that has some machine learing and bevaiour analzing is a big plus too. 

If you don't want to reinstall the system you have to indentfy the malware and find a tutorial/sandbox that shows every thing the malware has done. The docs from Trend Micro for that are pretty good.

Thanks! The malware was in a setup where Defender wasn’t updated for about a year. Do you know when MS fixed tamper protection and patched the registry exclusions?

[lurto]

2 hours ago, TheFlyingCorpse said:

Do you know when MS fixed tamper protection and patched the registry exclusions

First here is the exploit I was talking about: https://twitter[.]com/splinter_code/status/1481073265380581381?t=RwI0ELGvZ5Gv8eFW_F-qNw&s=19

When I searched they say it was secretly patched in KB5010354 without saying it (https://borncity[.]com/win/2022/02/11/microsoft-fixt-wohl-heimlich-schwachstelle-im-defender-unter-windows/). So from February 8, 2022.

 

 

 

Edited November 19, 2022 by lurto

[MalwareTech]

Best thing to do would be boot in safe mode or recovery mode and either manually remove the malware, or do a scan with a standalone antivirus scanner like malwarebytes. 

[malstrawm]

So, prevent/detect/respond on malware when it's disabling these sorts of tools for tracing:

Prevent

I think all the AV/EDR/Logging killing tools I've seen require local administrator. Ensuring least privilege and preventing access to local administrator will likely be your best bet - keep local workstations up to date to ensure no local privilege escalation shows up,

Otherwise, making sure that an administrator can't just change a registry setting to get around AV(/edr/logging) would be something I would leave to my AV(/edr/logging) vendor. If it's successful on the current release, maybe send them a copy of the tool so they can provide an update to make sure that can't be circumvented.

Detect

The big thing here will be looking for the system no longer checking in, or checking in with a new radical exclusion. I have not administered an AV before, so I am not familiar with whether Defender reports back "New exception folder: C:\", but if they do, I would want to leverage it. Otherwise, looking for an endpoint that stops checking in would be a potential detection for something like this happening.

Of course, user systems go missing all the time. It's not uncommon for a user to go on vacation. My experience has been enterprise incident response - normally we were there for network-wide compromise, not one endpoint - so usually servers disappearing from checking in was more important. But in an everyday environment, I would look to see if I can correlate a machine checking in (certificate for VPN, mac address visible on a switch, outlook desktop login) happening while a Defender/sophos/mcafee/etc check in does not happen. That would cause some concern, but that also assumes you have Defender/etc checking somewhere central and not just running the free version.

Respond

I was fortunate that in a previous life I could send an email to say "<system x> can come back on the network when it has been wiped" and that would happen. It was always my preference when there was some sort of malware that had run where we did not have full confidence in what ran on a system. But as I said, I was fortunate that was the case, and you mentioned that wasn't an option.

That isn't always the case though, so I would look at autoruns in particular - as MalwareTech said, safe mode/recovery mode can help for this by preventing the malware from running first and modifying things before you can touch it. The sysinternals autoruns tools is helpful for this; comparing it to a new/known ("suspected") clean system may be helpful to track down which look most interesting. From there, looking at things like AV detection names and reports of malware that acts similar, it may give you a hint as to where else to look for things to remove. Use Malwarebytes/other (or multiple) AV scanners after to check if things are there.

Regardless of wiping it vs. manually extracting the malware, the last portion is looking at what the "blast radius" of this is. It sounds like you usually rely on Defender or similar to know what malware may have done, but its now a blind spot. Review login information for the user's email account, since that is a popular target; I would reset any credentials associated with the user for other systems as well as credential stealers have been popular this year. If the user has credentials to a super critical system, maybe review authentication logs and see if anything looks suspicious. Looking at this can be somewhat difficult - there are forensic artifacts you can review to get a sense of what may have been touched, and malware analysis you can do to determine indications of what it may have done, but it's more than I can easily type.

If it's a particularly critical system, you may also be able to engage Cybersecurity insurance to bring in third-party help to do some of the respond actions. That may help - in particular, it helps in the CYA part of things.