Skip to content

Latest commit

 

History

History
82 lines (50 loc) · 3.42 KB

T1562-WIN-001.md

File metadata and controls

82 lines (50 loc) · 3.42 KB
Raw

Note: You are viewing an old, archived version of this content. The latest version is available in the 'main' branch.

T1562.001 - Impair Defenses: Disable or Modify Tools

Hunt Tags

ID: T1562-WIN-001

Last Modified: 12/03/2021

Author: FalconForce

License: BSD 3-Clause License

References: Link to medium post

ATT&CK Tags

Tactic: Defense Evasion

Technique: Impair Defenses: Disable or Modify Tools (T1562.001)

Technical description of the attack

Some attackers disabled the local security solution installed of their victim in order to get their implant to work. Although more sophisticated attackers usually avoid such actions, it still happens a lot in the wild. This detection is aimed at finding sloppy attackers that disable Defender AV using a few very common ways. This detection is aimed to be a early indicator of malicious activity.

Permission required to execute the technique

Administrator

Detection description

The detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed by @olafhartong on a large sample of malware for varying purposes. Note that this detection is imperfect and only meant to serve as basis to build a more resilient detection rule. See the Improvements section below on which improvements we recommend you to implement.

Utilized Data Source

Event ID Event Name Log Provider ATT&CK Data Source
- DeviceProcessEvents MDE Process monitoring

Hunt details

KQL

FP Rate: Low

Source: MDE

Description: See above

Query:

let defendertampering=dynamic(["Set-MpPreference -DisableRealtimeMonitoring $true","sc stop WinDefend","sc delete WinDefend","Set-MpPreference -DisableBehaviorMonitoring $true","Set-MpPreference -ExclusionProcess", "Set-MpPreference -ExclusionExtension dll","net stop security center"]);
DeviceProcessEvents
| where ProcessCommandLine has_any (defendertampering)
// If you have a lot of FPs coming from JetBrains, you can use the line below 
//| where InitiatingProcessFolderPath !startswith @"c:\program files\jetbrains\" and InitiatingProcessVersionInfoProductName !~ ("Android Studio")

Considerations

  • Some software behaves weirdly, we've at least identified that JetBrains and Android Studio are behaving oddly. Not sure why, yet. Perhaps I should stop using JetBrains?
  • Make the detection more resilient, currently the order of parameters matters. You don't want that for a production rule. See blogpost for more resilience considerations.
  • The current approach can easily be bypassed by not using the powershell.exe executable. Consider adding more ways to detect this behavior.

False Positives

  • So far, we've only observed JetBrains software and Android Studio.

Detection Blind Spots

  • Usage of System.Management.Automation.dll for running powershell
  • Modifying registry keys directly, without using powershell/cmd.
  • Use of Win32 APIs to manipulate the services and setting of Defender AV.

References