Sysadmin Tools and Security Features Disabled by Malware

Authored By:
TomU @c_APT_ure

Description:
This IOC detects disabled sysadmin tools (task manager, registry editor) presumably by malware.
ThreatExpert uses these sentences:
“to prevent users from starting Task Manager (Taskmgr.exe)” and
“to disable the Windows registry editors (Regedt32.exe and Regedit.exe)”
A Google search for these terms (on ThreatExpert only) currently gives up to 9’370 hits (sample query: “site:threatexpert.com DisableTaskMgr”).

In addition it detects certain security features disabled by malware.
“to disable notification of firewall, antivirus and/or update status through the Windows Security Center”

The last AND should check for empty value, so not sure if “value contains not 0″ works for this.
Also not sure if “value contains 1″ will match “1″ and “0×00000001″.

Reports:
http://www.threatexpert.com/report.aspx?md5=5022bc00e22ebec939c18825845ea32d
http://www.threatexpert.com/report.aspx?md5=51ad6e2129bed025a73d6b22965df5ca
http://support.microsoft.com/kb/831787
http://support.microsoft.com/kb/555480

Indicators:
OR
   AND
      Registry KeyPath contains Software\Microsoft\Windows\CurrentVersion\Policies\System
      OR
         Registry ValueName is DisableTaskMgr
         Registry ValueName is DisableRegistryTools
         Registry ValueName is DisableRegedit
      OR
         Registry Value contains 1
         Registry Value contains 2
   AND
      Registry Value contains 1
      OR
         Registry KeyPath contains SOFTWARE\Policies\Microsoft\Windows Defender
         Registry KeyPath contains SOFTWARE\Policies\Microsoft\Windows Defender
         Registry KeyPath contains SOFTWARE\Microsoft\Internet Explorer\Download
         Registry KeyPath contains SOFTWARE\Microsoft\Security Center\Svc
         Registry KeyPath contains SOFTWARE\Microsoft\Security Center
      OR
         Registry ValueName is DontReportInfectionInformation
         Registry ValueName is DisableAntiSpyware
         Registry ValueName is RunInvalidSignatures
         Registry ValueName is UACDisableNotify
         Registry ValueName is AutoUpdateDisableNotify
         Registry ValueName is AntiVirusDisableNotify
         Registry ValueName is FirewallDisableNotify
         Registry ValueName is AntiVirusOverride
   AND
      Registry KeyPath contains SOFTWARE\Microsoft\Security Center
      Registry Value contains not 0
      OR
         Registry ValueName is AntiVirusOverride
         Registry ValueName is FirewallOverride
   AND
      Registry KeyPath contains SOFTWARE\Microsoft\Internet Explorer\Download
      Registry ValueName is CheckExeSignatures
      Registry Value is no

Download:
66e24787-a3da-4bea-b322-e10c0a30a80b.ioc