Analytics Story: Windows Defense Evasion Tactics

Date: 2024-09-24 ID: 56e24a28-5003-4047-b2db-e8f3c4618064 Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious reg.exe processes, files hidden with attrib.exe and disabling user-account control, among many others

Why it matters

Defense evasion is a tactic--identified in the MITRE ATT&CK framework--that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Reg exe used to hide files directories via registry keys Hidden Files and Directories TTP
Remote Registry Key modifications None TTP
Windows DLL Search Order Hijacking Hunt DLL Search Order Hijacking Hunting
Add or Set Windows Defender Exclusion Disable or Modify Tools TTP
CSC Net On The Fly Compilation Compile After Delivery Hunting
Disable Registry Tool Modify Registry, Disable or Modify Tools TTP
Disable Security Logs Using MiniNt Registry Modify Registry TTP
Disable Show Hidden Files Modify Registry, Disable or Modify Tools, Hidden Files and Directories Anomaly
Disable UAC Remote Restriction Bypass User Account Control TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Disable Windows SmartScreen Protection Disable or Modify Tools TTP
Disabling CMD Application Modify Registry, Disable or Modify Tools TTP
Disabling ControlPanel Modify Registry, Disable or Modify Tools TTP
Disabling Firewall with Netsh Disable or Modify Tools Anomaly
Disabling FolderOptions Windows Feature Disable or Modify Tools TTP
Disabling NoRun Windows App Modify Registry, Disable or Modify Tools TTP
Disabling Remote User Account Control Bypass User Account Control TTP
Disabling SystemRestore In Registry Inhibit System Recovery TTP
Disabling Task Manager Disable or Modify Tools TTP
Disabling Windows Local Security Authority Defences via Registry Modify Authentication Process TTP
Eventvwr UAC Bypass Bypass User Account Control TTP
Excessive number of service control start as disabled Disable or Modify Tools Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
FodHelper UAC Bypass Modify Registry, Bypass User Account Control TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification TTP
NET Profiler UAC bypass Bypass User Account Control TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools TTP
Sdclt UAC Bypass Bypass User Account Control TTP
SilentCleanup UAC Bypass Bypass User Account Control TTP
SLUI RunAs Elevated Bypass User Account Control TTP
SLUI Spawning a Process Bypass User Account Control TTP
Suspicious Reg exe Process Modify Registry Anomaly
UAC Bypass MMC Load Unsigned Dll MMC, Bypass User Account Control TTP
Windows Alternate DataStream - Base64 Content NTFS File Attributes TTP
Windows Alternate DataStream - Executable Content NTFS File Attributes TTP
Windows Alternate DataStream - Process Execution NTFS File Attributes TTP
Windows Command and Scripting Interpreter Hunting Path Traversal Command and Scripting Interpreter Hunting
Windows Command and Scripting Interpreter Path Traversal Exec Command and Scripting Interpreter TTP
Windows Defender Exclusion Registry Entry Disable or Modify Tools TTP
Windows Disable Change Password Through Registry Modify Registry Anomaly
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Windows Disable Notification Center Modify Registry Anomaly
Windows Disable Windows Event Logging Disable HTTP Logging IIS Components, Disable Windows Event Logging TTP
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows DisableAntiSpyware Registry Disable or Modify Tools TTP
Windows DISM Remove Defender Disable or Modify Tools TTP
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking Hunting
Windows DLL Search Order Hijacking with iscsicpl DLL Search Order Hijacking TTP
Windows Event For Service Disabled Disable or Modify Tools Hunting
Windows Excessive Disabled Services Event Disable or Modify Tools TTP
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Windows Impair Defense Change Win Defender Health Check Intervals Disable or Modify Tools TTP
Windows Impair Defense Change Win Defender Quick Scan Interval Disable or Modify Tools TTP
Windows Impair Defense Change Win Defender Throttle Rate Disable or Modify Tools TTP
Windows Impair Defense Change Win Defender Tracing Level Disable or Modify Tools TTP
Windows Impair Defense Configure App Install Control Disable or Modify Tools TTP
Windows Impair Defense Define Win Defender Threat Action Disable or Modify Tools TTP
Windows Impair Defense Delete Win Defender Context Menu Disable or Modify Tools Hunting
Windows Impair Defense Delete Win Defender Profile Registry Disable or Modify Tools Anomaly
Windows Impair Defense Disable Controlled Folder Access Disable or Modify Tools TTP
Windows Impair Defense Disable Defender Firewall And Network Disable or Modify Tools TTP
Windows Impair Defense Disable Defender Protocol Recognition Disable or Modify Tools TTP
Windows Impair Defense Disable PUA Protection Disable or Modify Tools TTP
Windows Impair Defense Disable Realtime Signature Delivery Disable or Modify Tools TTP
Windows Impair Defense Disable Web Evaluation Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender App Guard Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Compute File Hashes Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Gen reports Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Network Protection Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Report Infection Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Scan On Update Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Signature Retirement Disable or Modify Tools TTP
Windows Impair Defense Overide Win Defender Phishing Filter Disable or Modify Tools TTP
Windows Impair Defense Override SmartScreen Prompt Disable or Modify Tools TTP
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Disable or Modify Tools TTP
Windows Impair Defenses Disable Auto Logger Session Disable or Modify Tools Anomaly
Windows Impair Defenses Disable HVCI Disable or Modify Tools TTP
Windows Impair Defenses Disable Win Defender Auto Logging Disable or Modify Tools Anomaly
Windows Known Abused DLL Created DLL Search Order Hijacking, DLL Side-Loading Anomaly
Windows Known Abused DLL Loaded Suspiciously DLL Search Order Hijacking, DLL Side-Loading TTP
Windows LOLBAS Executed As Renamed File Rename System Utilities, Rundll32 TTP
Windows LOLBAS Executed Outside Expected Path Match Legitimate Name or Location, Rundll32 TTP
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows Parent PID Spoofing with Explorer Parent PID Spoofing TTP
Windows PowerShell Disable HTTP Logging IIS Components, Disable Windows Event Logging TTP
Windows Process With NamedPipe CommandLine Process Injection Anomaly
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution TTP
Windows Registry Dotnet ETW Disabled Via ENV Variable Indicator Blocking TTP
Windows UAC Bypass Suspicious Child Process Bypass User Account Control TTP
Windows UAC Bypass Suspicious Escalation Behavior Bypass User Account Control TTP
WSReset UAC Bypass Bypass User Account Control TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 15 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7040 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 2