Try in Splunk Security Cloud

Description

Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious reg.exe processes, files hidden with attrib.exe and disabling user-account control, among many others

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change, Endpoint, Risk, Web
  • Last Updated: 2018-05-31
  • Author: David Dorsey, Splunk
  • ID: 56e24a28-5003-4047-b2db-e8f3c4618064

Narrative

Defense evasion is a tactic–identified in the MITRE ATT&CK framework–that adversaries employ in a variety of ways to bypass or defeat defensive security measures. There are many techniques enumerated by the MITRE ATT&CK framework that are applicable in this context. This Analytic Story includes searches designed to identify the use of such techniques on Windows platforms.

Detections

Name Technique Type
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
CSC Net On The Fly Compilation Compile After Delivery, Obfuscated Files or Information Hunting
Disable Registry Tool Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disable Security Logs Using MiniNt Registry Modify Registry TTP
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry Anomaly
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Disable Windows SmartScreen Protection Disable or Modify Tools, Impair Defenses TTP
Disabling CMD Application Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling ControlPanel Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling Firewall with Netsh Disable or Modify Tools, Impair Defenses Anomaly
Disabling FolderOptions Windows Feature Disable or Modify Tools, Impair Defenses TTP
Disabling NoRun Windows App Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disabling SystemRestore In Registry Inhibit System Recovery TTP
Disabling Task Manager Disable or Modify Tools, Impair Defenses TTP
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Excessive number of service control start as disabled Disable or Modify Tools, Impair Defenses Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Anomaly
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification, File and Directory Permissions Modification TTP
NET Profiler UAC bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Reg exe used to hide files directories via registry keys Hidden Files and Directories TTP
Remote Registry Key modifications   TTP
SLUI RunAs Elevated Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SLUI Spawning a Process Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Sdclt UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SilentCleanup UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Suspicious Reg exe Process Modify Registry Anomaly
System Process Running from Unexpected Location Masquerading Anomaly
UAC Bypass MMC Load Unsigned Dll Bypass User Account Control, Abuse Elevation Control Mechanism, MMC TTP
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Windows Command and Scripting Interpreter Hunting Path Traversal Command and Scripting Interpreter Hunting
Windows Command and Scripting Interpreter Path Traversal Exec Command and Scripting Interpreter TTP
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Correlation
Windows DISM Remove Defender Disable or Modify Tools, Impair Defenses TTP
Windows DLL Search Order Hijacking Hunt DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking with iscsicpl DLL Search Order Hijacking TTP
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Windows Disable Change Password Through Registry Modify Registry Anomaly
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Windows Disable Notification Center Modify Registry Anomaly
Windows Disable Windows Event Logging Disable HTTP Logging Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components TTP
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Event For Service Disabled Disable or Modify Tools, Impair Defenses Hunting
Windows Excessive Disabled Services Event Disable or Modify Tools, Impair Defenses TTP
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Windows Impair Defense Delete Win Defender Context Menu Disable or Modify Tools, Impair Defenses Hunting
Windows Impair Defense Delete Win Defender Profile Registry Disable or Modify Tools, Impair Defenses Anomaly
Windows Impair Defenses Disable HVCI Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defenses Disable Win Defender Auto Logging Disable or Modify Tools, Impair Defenses Anomaly
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows PowerShell Disable HTTP Logging Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components TTP
Windows Process With NamedPipe CommandLine Process Injection Anomaly
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection TTP
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection TTP

Reference

source | version: 1