Try in Splunk Security Cloud
Description
Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious reg.exe processes, files hidden with attrib.exe and disabling user-account control, among many others
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2018-05-31
- Author: David Dorsey, Splunk
- ID: 56e24a28-5003-4047-b2db-e8f3c4618064
Narrative
Defense evasion is a tactic–identified in the MITRE ATT&CK framework–that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.
Detections
| Name |
Technique |
Type |
| Reg exe used to hide files directories via registry keys |
Hidden Files and Directories |
TTP |
| Remote Registry Key modifications |
None |
TTP |
| Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
| CSC Net On The Fly Compilation |
Compile After Delivery, Obfuscated Files or Information |
Hunting |
| Disable Registry Tool |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Security Logs Using MiniNt Registry |
Modify Registry |
TTP |
| Disable Show Hidden Files |
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses |
TTP |
| Disable UAC Remote Restriction |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Windows SmartScreen Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling CMD Application |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling ControlPanel |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling Firewall with Netsh |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling FolderOptions Windows Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling NoRun Windows App |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Disabling SystemRestore In Registry |
Inhibit System Recovery |
TTP |
| Disabling Task Manager |
Disable or Modify Tools, Impair Defenses |
TTP |
| Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Excessive number of service control start as disabled |
Disable or Modify Tools, Impair Defenses |
Anomaly |
| Firewall Allowed Program Enable |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
| FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Hiding Files And Directories With Attrib exe |
File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
| NET Profiler UAC bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
| Sdclt UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| SilentCleanup UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| SLUI RunAs Elevated |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| SLUI Spawning a Process |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Suspicious Reg exe Process |
Modify Registry |
TTP |
| UAC Bypass MMC Load Unsigned Dll |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Windows Defender Exclusion Registry Entry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Disable Change Password Through Registry |
Modify Registry |
Anomaly |
| Windows Disable Lock Workstation Feature Through Registry |
Modify Registry |
Anomaly |
| Windows Disable Notification Center |
Modify Registry |
Anomaly |
| Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Anomaly |
| Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows DISM Remove Defender |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Event For Service Disabled |
Disable or Modify Tools, Impair Defenses |
Hunting |
| Windows Excessive Disabled Services Event |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Hide Notification Features Through Registry |
Modify Registry |
Anomaly |
| Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
| Windows Process With NamedPipe CommandLine |
Process Injection |
Anomaly |
| Windows Rasautou DLL Execution |
Dynamic-link Library Injection, Signed Binary Proxy Execution, Process Injection |
TTP |
| WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Reference
source | version: 1