Skip to content
  • Blog
  • Events
  • Help
  • Careers
  • Contact
New Signature
  • About
      • Company

        New Signature has built a record of leadership by delivering exceptional technology and web solutions.

        View Company

      • Awards

        As a company, we are regularly recognized within the IT industry as well as the communities we serve.

        View All Awards
      • News

        Learn about the newest company announcements, technologies, and products at New Signature.

        View News

      • Partners

        New Signature works with a number of outstanding technology companies to deliver the best experiences to our customers.

        View Partners
      • Leadership

        New Signature's executive team includes proven leaders from the most innovative and fast-growing technology fields.

        View Leadership

      • Industries

        Our solutions are tailored to empower organizations across a wide range
        of industries.

        View Industry Experience
    Close
  • Solutions
      • Intelligent Enterprise
        Solutions

        Going Digital
        Unleash cloud capability, deliver change and compete at speed with a Microsoft digital operating model, enabling you to work more efficiently as you transform your IT environment. Learn More

      • Featured Solution

        Secure Cloud
        In a world of constant threat, ensuring that your underlying cloud platform is protected is the first step on your organization’s journey towards a secure, compliant operating environment. Learn More
      • Intelligent Workplace
        Solutions

      • Secure Workplace

        Work Anywhere

        Endpoint Health

        Identity Health

        Teamwork Support



        VIEW WORKPLACE SOLUTIONS
      • Intelligent Cloud
        Solutions

      • App Factory

        Azure Accelerator

        Azure Launchpad

        Azure Launchpad for DevOps

        Application Health

        Platform Health

        VIEW ClOUD SOLUTIONS
    Close
  • Services
      • Begin your journey towards becoming a digital business with NS:GO, our unique end-to-end framework based on the Microsoft Cloud Adoption Framework.

        NS:GO DIGITAL OPERATING MODEL
      • Intelligent Enterprise

      • Consulting

        We go beyond just technology to help your organization understand how digital can help you uniquely differentiate and better serve your employees and customers.

        VIEW ENTERPRISE SERVICES
      • Intelligent Workplace

        • Identity

          Identity is your new first-line-of-defense. It’s vital to your users and clients that your identity platform is properly configured and secured.

          Endpoint

          Whether your devices are on-premises or remote, personal or business-owned, we can ensure they are properly managed and protected.

          Teamwork

          Today’s workforce is collaborating than ever before.  We can empower your current teams with tomorrow’s progressive technologies.

          VIEW WORKPLACE SERVICES
        • Intelligent Cloud

          • Platform

            The cloud is no longer some future-state. It’s the here and now. Adopting a cloud-first platform is one of the best ways to maintain a future-proofed competitive advantage.

            Applications

            We build cloud-native apps and modernize legacy systems with the power of Azure to give your organization a competitive edge.

            Data

            We can help your organization create secure, scalable data platforms to deliver simpler and more sophisticated insights to your business.

            VIEW CLOUD SERVICES
        Close
      • Client Stories
          • Case Studies

            Browse a comprehensive list of companies who have created successful partnerships and experienced transformative solutions with New Signature.

            View All Case Studies

          • Featured Case Study TalkTalk Modern Workplace

            New Signature worked with TalkTalk to define a new Modern Workplace solution based on Microsoft 365, which kept the user firmly at the center of the transformation.
            View Case Study

          • Testimonials

            We love transforming our customers businesses, take a look at what they have to say about New Signature.

            View Testimonials

          • Featured Testimonial Davis Construction

            With New Signature’s help, Davis was able to take a progressive step forward by migrating their private branch exchange (PBX) phone system to a Voice of Internet Protocol (VoIP) system.
            View Testimonial

        Close
      • Technologies
        • Learn more about the technologies that power New Signature solutions View All Technologies


          • Advanced Threat Analytics
          • Azure Active Directory
          • Azure IoT Suite
          • Azure Site Recovery
          • Cortana Intelligence Suite
          • DocuSign
          • Dynamics 365
          • Employee Self Service
          • Enterprise Mobility Suite
          • Exchange
          • ExpressRoute
          • Hyper-V
          • Microsoft 365
          • Microsoft Azure
          • Microsoft Azure Stack
          • Microsoft Identity Manager
          • Microsoft Intune
          • Microsoft Phone System
          • Microsoft Project
          • Microsoft Teams
          • Nintex
          • Office 365
          • OneDrive for Business
          • Operations Management Suite
          • Power BI
          • SharePoint
          • Skype for Business
          • SQL Server
          • System Center
          • System Center Configuration Manager
          • Visual Studio
          • Windows 10
          • Windows Server
          • Xamarin
          • Yammer

        • New Signature Microsoft Azure

          New Signature has Microsoft-certified Azure experts and consultants who assess your business, develop the virtual machines that you need to meet your goals and streamline your operations through the cloud. Learn More

        • New Signature Microsoft Licensing

          A Microsoft environment is not complete and usable until the proper licensing has been purchased and activated for your organization. Learn More

        Close
      • Explore
          • Guides & Ebooks

            Dive deeper into education with your team by leveraging our expert-developed guides and eBooks.

            View All Guides & Ebooks

          • Infographics

            Rich with statistics and information, our infographics are great tools for quick but insightful learning.

            View All Infographics
          • Podcast: Office Explorers

            Join Kat and Rob monthly as they chat with New Signature experts and explore the world of O365.

            Listen to Podcasts

          • Videos

            Visit our videos stream to access recorded webinars, service information and to learn more about us.

            WATCH ALL VIDEOS
          • Flyers

            Searching for information about our services? Our flyers are a great takeaway for all those details.

            VIEW ALL FLYERS

          • Featured Stream

            Learn more about the tooling and expertise required to unlock productivity and mobilize your teams.

            MODERN WORKPLACE
        Close
        Close
      Blog

      Hunting Malicious Windows Defender Activity

      New Signature / Blog / Hunting Malicious Windows Defender Activity
      April 10, 2020March 16, 2020| Craig Fretwell
      • Facebook
      • Twitter
      • LinkedIn
      • Print

      Recently I was demoing Azure Sentinel to a large organization, and someone asked me, “What if an attacker manages to compromise my system and disables Windows Defender?”

      Well…what if they do? How can we flag this, investigate and remediat? Why would someone intentionally disable anti-malware protection? I’ve written this blog to hopefully help you combat and protect yourself from this type of scenario.

      Below are some basic prerequisites to be comfortable following this blog:

      Prerequisites & Assumptions:

      • Azure Experience (essential)
      • IT Security Experience (essential)
      • Log Analytics (essential)
      • Azure Sentinel (essential)
      • A Physical Asset or Virtual Machine (essential)
      • PowerShell (Not essential)

      First, let’s configure our Log Analytics workspace (which Sentinel reports to). This will collect all the data for what we’re going to be querying in relation to Windows Defender activity. We’re looking to collect data on any anti-malware events from Microsoft Antimalware or Windows Defender.

      Type “Microsoft-Windows-Windows Defender/Operational” – then tick Error, Warning & Information and click Save.

      1

      Once this is saved, it will take approximately 15 minutes to start collecting the data from your VM to Log Analytics.

      Let’s jump over to our Sentinel Workspace, and Click Logs.

      We can test that our Windows Defender is reporting by running a simple query which the EventID 1150 will report on the Endpoint Protection being in a healthy state.

      1
      2
      3
      Event
      | where EventID == 1150
      | order by TimeGenerated desc

      2

      Now we need to write a query which will alert us if any configuration changes happen on Windows Defender. Before we create our Analytic Rule, we need to create a Logic App/Playbook which will alert us via an email that Windows Defender has had some configuration changes. Let’s go to Playbook and click “Add Playbook” give your playbook a name and click Create. Then select “Blank Logic App”.

      3

      I’d like to receive and email when Sentinel picks up this alert, so I search “Sentinel” within the connections and triggers bar.

      4

      At the time of writing this there is only 1 Trigger for Sentinel.

      5

      Make your connection to Sentinel.

      6

      Next click + New Step and search for YOUR email action. For me, I’ll be using Outlook.com.

      Fill in the Body, Subject and To sections with whichever information you’d like to be emailed once an alert is triggered.

      I’ve done some basic formatting inside the body of the email, so my email alert makes sense and is laid out nicely.

      7

      Click Save. We can now attach our playbook to the security query. For us to be notified of this, we need to create a Scheduled Analytic Query Rule, so let’s go to our Sentinel Dashboard and click “Analytics” and creat a new rule.

      8

      9

      I’m only just interested in obtaining information on the following IDs that have any relevance to being disabled are expired:

      Event ID: 5101
      Symbolic name: MALWAREPROTECTION_DISABLED_EXPIRED_STATE

      Event ID: 5012
      Symbolic name: MALWAREPROTECTION_ANTIVIRUS_DISABLED

      Event ID: 5010
      Symbolic name: MALWAREPROTECTION_ANTISPYWARE_DISABLED

      Event ID: 5001
      Symbolic name: MALWAREPROTECTION_RTP_DISABLED
      Realistically these ID’s should never appear, if they do…you know something is wrong.

      So once we’ve captured the Event IDs, we need to enter these into our Rule Logic. This will be our query, which is below.

      1
      2
      3
      Event
      | where EventID in (5101, 5001, 5012, 5010)
      | order by TimeGenerated desc

      10

      For now, I’ll have the ability for alerts to trigger incidents, and this way I get it displayed onto my dashboard screen.

      11

      Let’s select are recently created Playbook above.

      12

      Next click Review and Create.

      13

      Now let’s get into the exciting portion. Below is a few lines of simple PowerShell that will disable Microsoft Windows Defender. *NOTE* please don’t use this on a production VM or your own machine!

      Before that, we can see that Defender has a green tick, meaning it is all healthy and running nicely.

      14
      So let’s execute the code below:

      1
      2
      3
      4
      5
      Set-ExecutionPolicy Unrestricted -Force
      Set-MpPreference -DisableRealtimeMonitoring $true
      Set-MpPreference -DisableRemovableDriveScanning $true
      Set-MpPreference -PUAProtection 1
      New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 1 -PropertyType DWORD -Force

      Now after running the code, you should see a bunch of pop-ups, notifying you that Defender isn’t running and it should turn red (or have a red X).

      15

      16

      Let’s hop back to our Sentinel dashboard and check the situation out.

      So we can see straight away that our Incident blade in Sentinel has captured the Analytic alert we’ve configured.

      17

      And after about 1 minute, an email lands in my inbox.

      18

      Coupling all of the above will help defend how you alert and respond too Malicious Defender Activity with Azure Sentinel. Please reach out to New Signature if you’re concerned about the security landscape of your Azure environment.

      Categories
      Tips and Tricks
      Contact New Signature

      Blog Posts

      • Threat Hunting Advanced Malware with Azure Sentinel
      • Security Steps for National Cybersecurity Awareness Month: Keeping Your Business Secure
      • AI, Analytics and the New Machine Age – Book Review
      • What’s new in Enterprise Mobility + Security E5

      Events

      Thu 28

      Power Platform Series: Drive Organizational Productivity with Power Virtual Agents

      January 28 @ 10:00 am - 10:45 am EST
      Feb 16

      Cognizant’s Experience Lab for Continuous Testing with Azure

      February 16 @ 12:00 pm - 2:00 pm EST

      View More

      New Signature
      New Signature HQ
      901 K Street NW, Suite 450
      Washington, DC 20001
      Phone: 202-452-5923
      New Signature Canada HQ
      7th Floor, 5140 Yonge Street
      Toronto, ON M2N 7J8
      Phone: 416-971-4267
      New Signature UK HQ
      57 Bermondsey Street
      London SE1 3XJ
      Phone: +44 (0) 845-402-1752

      About

      • Company
      • Awards
      • News
      • Leadership
      • Partners
      • Industries

      Solutions

      • Intelligent Enterprise Solutions
      • Intelligent Workplace Solutions
      • Intelligent Cloud Solutions

      Services

      • GO
      • Intelligent Enterprise
      • Intelligent Workplace
      • Intelligent Cloud

      Client Stories

      • Client Stories
      • Testimonials

      Explore

      • Guides & Ebooks
      • Podcasts
      • Flyers
      • Infographics
      • Videos
      Copyright © 2021 New Signature
      • Blog
      • Events
      • Careers
      • Help
      • Anti Slavery
      • Privacy Policy
      • Contact
      • About
        • Company
        • Awards
        • News
        • Leadership
        • Partners
        • Industries
      • Services
        • GO
        • Intelligent Enterprise
        • Intelligent Workplace
        • Intelligent Cloud
      • Client Stories
        • Case Studies
        • Testimonials
      • Technologies
      • Explore
        • Guides & Ebooks
        • Infographics
        • Podcast: Office Explorers
        • Videos
        • Flyers
      • Blog
      • Events
      • Careers
      • Contact
      • Search
      Cookie Settings
      New Signature uses "Required Cookies" to run our website, "Functional Cookies" used by third parties to personalise marketing, including social media features.

      Change your preferences by clicking the “Cookie Settings” link at the bottom of every page. Learn more about cookies in our Cookie Policy and our Privacy Policy. By clicking the “Accept Cookies” button below, you consent to our use of cookies.

      Please note that “Required Cookies” will be set regardless of your consent.
      Cookie SettingsAccept Cookies
      Privacy & Cookies Policy
      Performance

      Performance Cookies provide Content Delivery Network assets that deliver faster site content delivery capabilities.

      Required

      These cookies are required mainly in order to deliver Multilanguage site capabilities.

      Functional

      Functional Cookies allow us to provided advanced media capabilities including videos, surveys and other multimedia capabilities.

      Disabling Functional cookies will block the playing of videos and other multimedia site components.

      Targeting

      Targeting Cookies are used to capture user information in order for New Signature to deliver better user experiences.

      Save & Accept