HackTool:Win32/DefenderControl

Microsoft recommends the following mitigations to reduce the impact of this threat.

• Turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions. Without Tamper Protection, attackers can simply turn off Microsoft Defender Antivirus without the need to acquire higher privileges.

• Turn on custom scoped antivirus tamper protection for specified devices. If Tamper Protection is turned on globally within your organization, this configuration is not needed.
• Customers running Intune or Microsoft Defender for Endpoint Security Configuration can enable DisableLocalAdminMerge to prevent modification of antivirus exclusions via GPO.
• Organizations can check the Security recommendations scorecard to search for devices without Tamper Protection. The advanced hunting query provided below will also surface devices that have Tamper Protection disabled.
• In addition to Tamper Protection, you can also enable and configure Microsoft Defender Antivirus always-on protection in Group Policy.
• If there is an issue with a device during roll out of various antivirus features, the device can be placed in Troubleshooting mode to turn off Tamper Protection temporarily without impacting the wider organizational security policy.
• Use device discovery to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint. Attackers will often identify systems that are improperly managed – either legacy systems that are not onboarded to security solutions, or misconfigured systems that do not have cloud-enabled detection or the most recent version of a security system in place. Attackers can then launch attacks from these unmanaged or tampered devices.
• If onboarding devices is not possible for legacy systems, ensure that those systems are either physically isolated through a firewall or logically isolated by ensuring they have no credential overlap with other systems.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.
• Practice the principle of least privilege, use multifactor authentication, and audit privileged account activity in your environments to slow and stop attackers. Avoid the use of domain-wide, administrator-level service accounts and restrict local administrative privileges. These mitigation steps reduce the paths the attackers have available to them to accomplish their goals and lower the risk of the compromise spreading in your environment.
• For further recommendations for security hardening against ransomware attacks, which can also help deter other determined adversaries, refer to our Ransomware-as-a-Service blog.

Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. Attack surface reduction rules are sweeping settings that are effective at stopping entire classes of threats.

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
• Block execution of potentially obfuscated scripts.
• Block credential stealing from the Windows local security authority subsystem.
• Block process creations originating from PsExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
• Use advanced protection against ransomware.
• Block abuse of exploited vulnerable signed drivers.