Try in Splunk Security Cloud

Description

Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious reg.exe processes, processes launching netsh, and many others.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-02-04
  • Author: Rico Valdez, Splunk
  • ID: fcc27099-46a0-46b0-a271-5c7dab56b6f1

Narrative

Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. This Analytic Story includes searches that look for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve monitoring for suspicious registry activity, as this is where much of the configuration for Windows and various other programs reside, or explicitly attempting to shut down security-related services. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a block list (which would prevent them from running).

Detections

Name Technique Type
Attempt To Add Certificate To Untrusted Store Install Root Certificate, Subvert Trust Controls TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
Processes launching netsh Disable or Modify System Firewall, Impair Defenses TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
Suspicious Reg exe Process Modify Registry TTP
Unload Sysmon Filter Driver Disable or Modify Tools, Impair Defenses TTP

Reference

source | version: 2