Tamper protection - REvil ransomware

%3CLINGO-SUB%20id%3D%22lingo-sub-2515754%22%20slang%3D%22en-US%22%3ETamper%20protection%20-%20REvil%20ransomware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2515754%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EPlease%20note%3A%3C%2FSTRONG%3E%20This%20is%20not%20a%20issue%2C%20just%20a%20question%2Fdiscussion%20regarding%20if%20tamper%20protection%20actually%20would%20have%20helped.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%2C%3C%2FP%3E%3CP%3ETrying%20to%20figure%20out%20how%20tamper%20protection%20would%20have%20assisted%20in%20the%20case%20of%20Kaseya%20VSA%20attacks%20going%20on.%3C%2FP%3E%3CP%3ERight%20now%20i've%20tried%20to%20run%20the%20script%20for%20disabling%20the%20following%20features%20with%20powershell%2C%20both%20with%20local%20admin%20rights%20and%20with%20system%20rights%2C%20without%20any%20success%3A%3C%2FP%3E%3CUL%20class%3D%22%22%3E%3CLI%3EDisables%20Real%20Time%20Monitoring%3C%2FLI%3E%3CLI%3EDisables%20IPS%3C%2FLI%3E%3CLI%3EDisables%20Cloud%20Lookup%3C%2FLI%3E%3CLI%3EDisables%20script%20scanning%3C%2FLI%3E%3CLI%3EDisabled%20Controlled%20Folder%20Access%20(ransomware%20preventation%20feature)%3C%2FLI%3E%3CLI%3EDisables%20Network%20Protection%3C%2FLI%3E%3CLI%3EStops%20cloud%20sample%20submission%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CEM%3Epowershell.exe%20Set-MpPreference%20-DisableRealtimeMonitoring%20%24true%20-DisableIntrusionPreventionSystem%20%24true%20-DisableIOAVProtection%20%24true%20-DisableScriptScanning%20%24true%20-EnableControlledFolderAccess%20Disabled%20-EnableNetworkProtection%20AuditMode%20-Force%20-MAPSReporting%20Disabled%20-SubmitSamplesConsent%20NeverSend%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20my%20case%2C%20this%20confirms%20that%20if%20tamper%20protection%20and%20managed%20settings%20through%20CM%2FIntune%2FgPO's%20would%20have%20blocked%20the%20script%20from%20disabling%20core%20features%20in%20Defender%20for%20Endpoint%20%2F%20Defender.%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20i%20missing%20something%20out%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Please note: This is not a issue, just a question/discussion regarding if tamper protection actually would have helped.

 

Hey,

Trying to figure out how tamper protection would have assisted in the case of Kaseya VSA attacks going on.

Right now i've tried to run the script for disabling the following features with powershell, both with local admin rights and with system rights, without any success:

  • Disables Real Time Monitoring
  • Disables IPS
  • Disables Cloud Lookup
  • Disables script scanning
  • Disabled Controlled Folder Access (ransomware preventation feature)
  • Disables Network Protection
  • Stops cloud sample submission

powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

 

In my case, this confirms that if tamper protection and managed settings through CM/Intune/gPO's would have blocked the script from disabling core features in Defender for Endpoint / Defender. 

Am i missing something out?

0 Replies