Authored By:
TomU @c_APT_ure
Description:
This IOC detects disabled sysadmin tools (task manager, registry editor) presumably by malware.
ThreatExpert uses these sentences:
“to prevent users from starting Task Manager (Taskmgr.exe)” and
“to disable the Windows registry editors (Regedt32.exe and Regedit.exe)”
A Google search for these terms (on ThreatExpert only) currently gives up to 9’370 hits (sample query: “site:threatexpert.com DisableTaskMgr”).
In addition it detects certain security features disabled by malware.
“to disable notification of firewall, antivirus and/or update status through the Windows Security Center”
The last AND should check for empty value, so not sure if “value contains not 0″ works for this.
Also not sure if “value contains 1″ will match “1″ and “0×00000001″.
Reports:
http://www.threatexpert.com/report.aspx?md5=5022bc00e22ebec939c18825845ea32d
http://www.threatexpert.com/report.aspx?md5=51ad6e2129bed025a73d6b22965df5ca
http://support.microsoft.com/kb/831787
http://support.microsoft.com/kb/555480
Indicators:
OR
AND
Registry KeyPath contains Software\Microsoft\Windows\CurrentVersion\Policies\System
OR
Registry ValueName is DisableTaskMgr
Registry ValueName is DisableRegistryTools
Registry ValueName is DisableRegedit
OR
Registry Value contains 1
Registry Value contains 2
AND
Registry Value contains 1
OR
Registry KeyPath contains SOFTWARE\Policies\Microsoft\Windows Defender
Registry KeyPath contains SOFTWARE\Policies\Microsoft\Windows Defender
Registry KeyPath contains SOFTWARE\Microsoft\Internet Explorer\Download
Registry KeyPath contains SOFTWARE\Microsoft\Security Center\Svc
Registry KeyPath contains SOFTWARE\Microsoft\Security Center
OR
Registry ValueName is DontReportInfectionInformation
Registry ValueName is DisableAntiSpyware
Registry ValueName is RunInvalidSignatures
Registry ValueName is UACDisableNotify
Registry ValueName is AutoUpdateDisableNotify
Registry ValueName is AntiVirusDisableNotify
Registry ValueName is FirewallDisableNotify
Registry ValueName is AntiVirusOverride
AND
Registry KeyPath contains SOFTWARE\Microsoft\Security Center
Registry Value contains not 0
OR
Registry ValueName is AntiVirusOverride
Registry ValueName is FirewallOverride
AND
Registry KeyPath contains SOFTWARE\Microsoft\Internet Explorer\Download
Registry ValueName is CheckExeSignatures
Registry Value is no
Download:
66e24787-a3da-4bea-b322-e10c0a30a80b.ioc