Why are Windows Defender AV logs so important and how to monitor them with Azure Sentinel?

Today we are going to talk about our good old friend or better known as Windows Defender AV. Not to confuse with the EDR solution that’s called ”Defender for Endpoint”. Windows Defender is the traditional out of the box antivirus for a Windows machine.

In this blog post, we are going to explain why it is relevant to keep an eye on your Windows Defender AV logs, and how to use the data telemetry to create custom alerts. We will start with showing real cases of adversaries working their way around Windows Defender. Once we have done that, we will show some examples with Azure Sentinel, which we will be used to create the custom alerts. This can be done with other solutions as well, so don’t feel the need to only use Azure Sentinel, when you can use other solutions as well.

Ransomware attacks

We have seen in many ransomware attacks that adversaries tend to work their way around Windows Defender AV. This can be done by simply disabling AV or create exclusions, and so on.

During the Sodinokibi ransomware attack, the threat actors created a GPO and rolled it out across all the systems to disable Windows Defender AV.

Source: https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

Another example was during the Kaseya ransomware attack. Where the ransomware encryptor started to disable additional protection in Windows Defender.

Source: https://www.reddit.com/r/kaseya/comments/ocf0x1/kaseya_has_been_hacked_with_randomware_that/

This happens in most ransomware cases, so in order to have a better understanding. We are going to demonstrate a few examples in practice.

Windows Defender

In order for an adversary to disable Windows Defender or create any exclusions. Local Admin privileges on a box is required, so to keep it short. This only works, once admin rights have been obtained. During this section, we will demonstrate different examples that includes creating exclusions and disabling AV.

Besides of that, we will also look at the traces that are left behind on a machine, which can be useful when doing forensics.

First, we will be simulating the steps that an adversary usually performs, when it comes down to killing Windows Defender AV. This includes steps, such as disabling real-time protection and adding exclusions, etc.

Adding exclusion to directory

The first example will be creating an exclusion to a folder. This allows an adversary to drop all their malicious stuff in a folder without worrying that Windows Defender AV would remove it.

In order to do this, we have to run the following command:

Add-MpPreference -ExclusionPath "C:\Windows\Temp"

Result

At the sample results, we can see an event ID 5007. This indicates that a Windows Defender AV configuration has been changed. However, we may also receive other 5007, so in order to find the right event ID that indicates an exclusion has been set. We have to look at the following registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths in the properties field.

If we now would run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"

We can see that two folders have been excluded.

Adding exclusions to extensions

An adversary can create exclusions for extensions as well. This means that Windows Defender AV won’t scan any .ps1 or .vbs scripts for example. Yes, this can be done for other extensions as well.

In order to do this, we can run one of the following commands:

Add-MpPreference -ExclusionExtension ".ps1"
Add-MpPreference -ExclusionExtension ".bat"
Add-MpPreference - ExclusionExtension ".vbs"

Result

At the sample result, we can see the same event ID, but a different registry key. All the exclusions that have been made for extensions can be found here: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions

If we now run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"

We can see that the “.ps1” extension has been excluded.

Add exclusion to a process

An adversary can create an exclusion to exclude a certain process from being scanned by Windows Defender AV.

In order to do this, we have to run the following command:

Add-MpPreference -ExclusionProcess "C:\Windows\System32\cmd.exe"

Result

At the sample result, we can see that a process has been excluded from Windows Defender. Event ID 5007 will be generated that contains the following registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes

If we now run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"

We can see that “C:\Windows\System32\cmd.exe” has been excluded.

Removing all the signatures

An adversary can leave Windows Defender enabled, but remove all the signatures.

In order to do this, we have to run the following command:

"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Result

At the sample result, we will see different event IDs. One of them is event ID 2002, but the “Current Engine” field will be empty. This is one indicator to look at.

The second indicator is to look at event ID 5007 that contains the following registry key in the properties: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls

If we run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls"

Here we can see that there are no values. This means that it’s very likely that all the signatures have been removed from AV.

Disable Script Scanning

There is a parameter that specifies whether to disable the scanning of scripts during malware scans.

In order to disable script scanning, we have to run the following command:

Set-MpPreference -DisableScriptScanning $true

Result

At the sample result, we can see an event ID 5007. To determine that script scanning has been disabled. We have to look at the following registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection

If we now run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning

We can see that script scanning has been disabled. The value “0x1” at “DisableScriptScanning” is the indicator.

Disable Controlled Folder Access

Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. An adversary can disable to remove all the additional protection.

In order to do this, we have to run the following command:

Set-MpPreference -EnableControlledFolderAccess Disabled

Result

At the sample result, we can see an event ID that contains the following registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access

If we now run the following command:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v EnableControlledFolderAccess

We can see that Controlled Folder access has been disabled. The indicator is to look at the “EnableControlledFolderAccess” that has the value “0x0”

Turn Network Protection on Audit Mode

Network protection helps prevent users from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. An adversary can turn Network Protection in audit mode, so the malicious content won’t be blocked.

In order to turn network protection in audit mode, we have to run the following command:

Set-MpPreference -EnableNetworkProtection AuditMode

Result

At the sample result, we can see an event ID that contains the following registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection

If we now run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v EnableNetworkProtection

We can see that Network Protection has been disabled. The indicator is “EnableNetworkProtection” with the value “0x2”

Disable Microsoft Active Protection Service

Microsoft Active Protection Service is an online community that helps you choose how to respond to potential threats. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.

In order to disable MAPS, we have to run the following command:

Set-MpPreference -Force -MAPSReporting Disabled

Result

At the sample result, we can see an event ID that contains the following registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet

If we now run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /v SpyNetReporting

We can see that MAPS has been disabled. The value “SpyNetReporting” with “0x0” is the indicator.

Never submit samples

An adversary can make a change to never submit any samples to Windows Defender.

In order to do so, we have to run the following command:

Set-MpPreference -SubmitSamplesConsent NeverSend

Result

At the sample result, we can see an event ID that contains the following registry key: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet

If we now run the following command:

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /v SubmitSamplesConsent

We can see that all the samples are never sent. The indicator is “SubmitSamplesConsent” with a value “0x2”

Disable Real Time Protection

Windows uses Real time protection to scan for malware and other unwanted software. Once this has been disabled, it won’t scan anything of it.

In order to do this, we have to run the following command:

Set-MpPreference -DisableRealtimeMonitoring $true

Result

At the sample result, we will receive an event ID 5001. This event ID indicates that real time protection has been disabled.

If we now run the following command:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring

We can see that there was an attempt to disable Real-Time protection. After testing this on a production system. You can see this registry value. However, it does not immediately indicate that Real-Time protection was disabled. You may have an SCCM AntiMalware policy that overrides the settings for example. The best way is to look at event ID 5001.

Disable IOAV Protection

This feature of Windows Defender indicates whether Windows Defender scans all downloaded files and attachments.

In order to disable this, we have to run the following command:

Set-MpPreference -DisableIOAVProtection $true

Result

At the sample result, we can see that IOAV protection has been disabled. Event ID 5004 indicates that this action has been occurred. This event ID may be a bit noisy, so if you want to create a query for it. You may have to filter on ”IE Downloads and Outlook Express Attachments” at the ”Feature” field.

Situational Awareness

An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.

In order to do this, we have to run the following command:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t Reg_DWORD /d 0 /f

Result

At the sample result, we can see that the ETW Provider of Windows Defender has been disabled.

Setup Azure Sentinel

Before we want to use Azure Sentinel, we need to create a Log Analytics workspace first. Azure Sentinel uses Log Analytics as the backend to store logs and other information.

In order to create a Log Analytics workspace:

  • Go to the Azure Portal
  • Search for “Log Analytics workspace” in the search bar and press enter
  • Click on “Create”
  • Fill the rest of information in and finish

Once we have done that, we can setup Azure Sentinel.

In order to setup Azure Sentinel:

  • Go to the Azure Portal
  • Search for “Azure Sentinel” in the search bar and press enter
  • Click on “Create Azure Sentinel”
  • Select the created Log Analytics workspace we previously created
  • Click on “Add”

We have now successfully created an Azure Sentinel workspace.

Deploy the MMA Agent

Microsoft Monitoring Agent collects and reports a variety of data including performance metrics, event logs and trace information. This allows us to receive logs from a machine and push it to Log Analytics. This is required in order to collect the Windows Defender AV logs.

  1. The first thing we have to do is download the MMA Agent.
  • Go to the Azure Portal
  • Click on “Log Analytics workspace”
  • Click on your created Log Analytics workspace
  • Go to “Agents management”

As we can see, there are 0 machines connected.

2. Now we have to create a shared folder, so machines can access it.

  • Download the MMA Agent
  • Create a folder on a server
  • Right-click on the folder and click on “Sharing”
  • Grant “Domain Computers” Read access
  • Save the MMA Agent package in the created shared folder.

Now we need to open notepad and copy and paste the following command:

NOTE: Replace the WORKSPACE_ID and WORKSPACE_KEY with yours. C:\MMA-Agent\MMASetup-AMD64.exe is our shared folder that contains the MMA Agent.

"c:\MMA-Agent\MMASetup-AMD64.exe" /C:"setup.exe /qn ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=44059d47-2bc9-45ea-a5ea-fab50d502a6c OPINSIGHTS_WORKSPACE_KEY=TuOq3w1Ag8Y+8uQl+L9a5mHE1u4/5XAAzhHbUTmA4m34l5sLuimLeVWd+3+33UKKKI+686qsl/gM5XIczuoILQ== AcceptEndUserLicenseAgreement=1"

Save it as a .cmd file and put the file in the created shared folder that contains the MMA Agent as well, which is in our case C:\MMA-Agent

3. At this part, we have to create a Group Policy and push the MMA Agent.

  • Create a Group Policy Object and give it a friendly name
  • In the Group Policy Management Editor, go to Computer configuration, then Preferences, and then Windows settings.
  • Right-click Folders, point to New, and select the path where you want the MMA Agent is going to be stored on the endpoints. In this example, we are going to choose the following Path: C:\Program Files
  • Right-click Files, point to New, and click on File
  • Action: Update
  • Source: \\APD-DC1\MMA-Agent\MMASetup-AMD64.exe
  • Path: C:\Program Files\MMASetup-AMD64.exe
  • Right click again on Files, point to New, and click one more time on File
  • Action: Replace
  • Source: \APD-DC1\MMA-Agent\MMASetup.cmd
  • Target: C:\Program Files\MMASetup.cmd
  • Click on Common, mark the Apply once and do not reapply checkbox.

If you have done everything correctly, you should have something like this:

  • Go back at the beginning of Group Policy Management Editor
  • In the Group Policy Management Editor, go to Computer configuration, then Policies, and then Windows settings.
  • Click on Scripts (Startup/Shutdown)
  • Click on Startup
  • Click on Add
  • Script Name: C:\Program Files\MMASetup.cmd

This will ensure that the machines are going to run the .cmd file, that contains the command to deploy the MMA agent on a machine.

4. Link the GPO to the OUs that contains the workstations and member servers

5. Here we can see that there are now two machines connected. As discussed before, it can take a while before a GPO has been processed.

Collect Windows Defender AV logs

We are now going to collect Windows Defender AV logs in our Azure Sentinel workspace.

  • Go to your Log Analytics workspace
  • Click on “Agents configuration”
  • Click on “Add Windows event log”
  • Select: “Microsoft-Windows-Windows Defender/Operational”

Query Windows Defender AV logs

We are now able to query Windows Defender AV logs of a machine.

Hunting Queries

All of these hunting queries are meant as an example, so it may require some fine-tuning.

  1. This query determines whether an folder was excluded from Windows Defender AV.

Query

let timeframe = 7d;
Event
| where TimeGenerated >= ago(timeframe)
| where EventLog == "Microsoft-Windows-Windows Defender/Operational"
| parse EventData with * 'New Value">'RegistryKey'</Data>' *
| where RegistryKey startswith "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths"
| extend ExcludedFolder = tostring(split(RegistryKey, "Paths\\")[1])
| extend ExcludedFolder = tostring(split(ExcludedFolder, "=")[0])
| project TimeGenerated, Computer, ExcludedFolder, RegistryKey

Result

At the sample result, we can see that the “C:\Windows\Temp” folder has been excluded.

2. This query determines whether an extension was excluded from Windows Defender AV.

Query

let timeframe = 7d;
Event
| where TimeGenerated >= ago(timeframe)
| where EventLog == "Microsoft-Windows-Windows Defender/Operational"
| parse EventData with * 'New Value">'RegistryKey'</Data>' *
| where RegistryKey startswith "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions"
| extend ExcludedExtension = tostring(split(RegistryKey, "Extensions\\")[1])
| extend ExcludedExtension = tostring(split(ExcludedExtension, "=")[0])
| where ExcludedExtension endswith ".ps1"
  or ExcludedExtension endswith ".vbs"
  or ExcludedExtension endswith ".bat"
| project TimeGenerated, Computer, ExcludedExtension, RegistryKey

Result

At the sample result, we can see that the “.ps1” extension has been excluded.

3. This query determines whether someone is trying to make a change to Windows Defender AV, while it’s getting blocked by Tamper protection. This event ID is only logged, when Tamper protection is enabled on a machine.

Query

let timeframe = 7d;
Event
| where TimeGenerated >= ago(timeframe)
| where EventLog == "Microsoft-Windows-Windows Defender/Operational"
| where EventID == 5013
| parse EventData with * 'Value">'RegistryKey'</Data>' *
| extend RenderedDescription = tostring(split(RenderedDescription, "Value")[0])
| project TimeGenerated, Description = RenderedDescription, Computer, RegistryKey

Result

At the sample result, we can see that there were two attempts. One of them was trying to disable real-time protection, but it got blocked by Tamper protection.

Create Custom Alerts

Instead of using the queries as an hunting query. We can also use them to create custom alerts, and notify once it has been triggered. This query may require some fine-tuning, but it is meant as example.

The second thing we have to do is fill some information about the rule and which tactic it is, etc.

Now we can see in Azure Sentinel that we have received one alert.

Last, but not least. We can start investigating the alert. It will display a graph with the relevant entities.

Tamper Protection

Tamper protection prevents unwanted changes to security settings on devices. With this protection in place, customers can mitigate malware and threats that attempt to disable security protection features.

If we would run the exact command that the adversaries were using, which is the following:

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 -n 60 > nul & C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Result

We would have blocked a few unwanted changes, which we can see in Event ID 5013.

To be more precisely on what it would have been blocked if we ran the above command:

  • Tamper Protection Blocked a change to Microsoft Defender Antivirus.
    Value: HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = (Current)
  • Tamper Protection Blocked a change to Microsoft Defender Antivirus.
    Value: HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = (Current)
  • Tamper Protection Blocked a change to Microsoft Defender Antivirus.
    Value: HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = (Current)

Review your exclusions

In order to get an overview of all your exclusions. We have to run the following command as admin:

$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath

Result

At the sample result, we can see that the “C:\Windows\Temp” folder and the “.ps1” extension have been excluded.

SCCM

A lot of enterprise organizations are using SCCM to manage Windows Defender settings, which includes the exclusions paths as well. All of the registry keys have the same values just as machines, that have configured exclusions without SCCM, but the only difference is. Once an exclusion has been configured in SCCM, let’s say for a specific folder. It will store the information in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions\paths instead of HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

  • Exclusion folders: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions\paths
  • Exclusion processes: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions\processes
  • Exclusion extensions: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions\extensions
  • SpyNet: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\spynet
  • Real-Time Protection: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection

Summary

We first started with killing Windows Defender AV just like the attackers are doing. After we have done that, we started to setup Azure Sentinel and deploy the MMA Agent on our machine, to push all the Microsoft-Windows-Windows-Defender/Operational logs to our workspace.

As we may have notice. Creating exclusions, removing all the signatures or disabling protections, won’t trigger any alerts by default. However, that does not mean that we shouldn’t monitor such kind of activity. In many ransomware cases, this will happen. Start with monitoring your Windows Defender AV logs. Keep an eye on every exclusion that will be configured on a machine or any attempts, to disable additional protection like real-time protection, network protection, controlled folder access, and so on.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s