Try in Splunk Security Cloud

Description

Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious reg.exe processes, files hidden with attrib.exe and disabling user-account control, among many others

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2018-05-31
  • Author: David Dorsey, Splunk
  • ID: 56e24a28-5003-4047-b2db-e8f3c4618064

Narrative

Defense evasion is a tactic–identified in the MITRE ATT&CK framework–that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.

Detections

Name Technique Type
Disable Registry Tool Disable or Modify Tools TTP
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Disable Windows SmartScreen Protection Disable or Modify Tools TTP
Disabling CMD Application Disable or Modify Tools TTP
Disabling ControlPanel Disable or Modify Tools TTP
Disabling Firewall with Netsh Disable or Modify Tools TTP
Disabling FolderOptions Windows Feature Disable or Modify Tools TTP
Disabling NoRun Windows App Disable or Modify Tools TTP
Disabling Remote User Account Control Bypass User Account Control TTP
Disabling SystemRestore In Registry Disable or Modify Tools TTP
Disabling Task Manager Disable or Modify Tools TTP
Eventvwr UAC Bypass Bypass User Account Control TTP
Excessive number of service control start as disabled Disable or Modify Tools Anomaly
FodHelper UAC Bypass Modify Registry, Bypass User Account Control TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification TTP
NET Profiler UAC bypass Bypass User Account Control TTP
SLUI RunAs Elevated Bypass User Account Control TTP
SLUI Spawning a Process Bypass User Account Control TTP
Sdclt UAC Bypass Bypass User Account Control TTP
SilentCleanup UAC Bypass Bypass User Account Control TTP
Suspicious Reg exe Process Modify Registry TTP
System Process Running from Unexpected Location Masquerading Anomaly
UAC Bypass MMC Load Unsigned Dll Bypass User Account Control TTP
WSReset UAC Bypass Bypass User Account Control TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools TTP

Reference

source | version: 1

You May Also Enjoy