SECURITY

AppLocker Rules as Defense Evasion: Complete Analysis

Microsoft continues to develop, update and improve features to monitor and prevent the execution of malicious code on the Windows opearting system. One of these features is AppLocker. This feature advances the functionality of software restriction policies and  enables administrators to create rules to allow or deny applications from running based on their unique identities (e.g., files) and to specify which users or groups can run those applications.

AppLocker has the ability to control the execution of executables (“.exe” and “.com”), scripts (“.js”, “ps1”, “vbs”, “.cmd” and “.bat”), windows installer (“.msi, “.mst”, “.msp”), dll modules, packaged apps, and app installer.

This software restriction policy may be abused by adversaries, like the “Azorult loader,” a payload that imports its own AppLocker policy to deny the execution of several antivirus components as part of its defense evasion.

In this blog, the Splunk Threat Research Team will do a deep dive analysis on “Azorult loader” and its several components to understand tactics and techniques that may help SOC analysts and blue teamers defend against these types of threats.

(For a larger resolution of this diagram visit this link)

Azorult Loader

Azorult loader is a classic “Trojan Horse” that contains several components including the Azorult malware itself and additional embedded files to enable remote access and data collection. This loader is an autoit compiled executable that contains a self-extracting stream in its resource sections along with several files.

Defense Evasion

Azorult implements a hardcoded sandbox evasion checklist: It looks for specific usernames, files on the desktop, hostnames and processes running on the targeted host. If identified, it will exit. It will also terminate its execution if the OS version of the compromised host is “winxp”.

 

Username

Computername

Files in Desktop

Processes

Peter Wilson

Acme

BOBSPC

Johnson

John

John Doe

Rivest

mw

me

sys

Apiary

STRAZNJICA.GRUBUTT

Phil

Customer

shimamu

RALPHS-PC

ABC-WIN7

man-PC

luser-PC

Klone-PC

tpt-PC

BOBSPC

WillCarter-PC

PETER-PC

David-PC

ART-PC

TOM-PC


@DesktopDir +\secret.txt


@DesktopDir + \my.txt


@DesktopDir +\report.odt


@DesktopDir +\report.rtf


@DesktopDir + \Incidents.pptx


Joeboxcontrol.exe

Joeboxserver.exe

Frida-winjector-helper-32.exe

analyzer.exe

 

 

If the “msseces.exe” process is running, it will try to uninstall the “Microsoft Security Client” by using the wmic.exe command shown below.


C:\Windows\System32\wbem\wmic.exe product where name="Microsoft Security Client" call uninstall /nointeractive

It will also disable several registry keys related to the Windows Defender application feature and other AV products to evade their detections. Figures 1.1 and 1.2 shows screenshots of the autoit script code that modifies those registry values.

Figure 1.1

Figure 1.2

It will also try to stop, delete and even modify the configuration of some services as part of its execution and disable antivirus products. Figure 2 shows the code list of those services.

Figure 2

It will attempt to block SMB ports  (445, 139 and update the firewall configuration to allow its dropped malicious files to perform network connections. Figure 3 shows the netsh command that modifies firewall rules.

Figure 3

Using the attrib and icacls Windows binaries, it will set the hidden attribute and a deny permission access on several AV product installation root folders like what we see in Figures 4 and 5.

Figure 4

Figure 5

First Stage Drop Files

The loader will drop files as seen in Figure 6. The “temp.bat” is a cleanup batch file that will delete some of the dropped files and add a hidden attribute on the created directory C:\Programdata\Windows. The “clean.bat” is responsible for killing malwarebytes “mbamservice.exe” process, stopping or deleting more services related to AV products and coin miners like “MinerGate”.

Figure 6

The “H.bat” is responsible for blocking AV, coin miner and some GitHub websites by redirecting it to the local host IP address of the compromised host by adding an entry to the “%SystemRoot%\System32\drivers\etc\hosts”. Figure 7 shows some of the url links it tries to block and how it adds the entry to the hosts file.

Figure 7

The file “5.xml” is one of the most interesting parts of this malware. It contains AppLocker rules designed for defense evasion. This paper will explore the topic further specifically when we break down the components that try to import this rule. The “ink.exe” is the actual Azorult malware. Figure 8.1 shows the strings command used to parse the browser database to collect sensitive information like credentials.

Figure 8.1

Figure 8.2 shows how it parses and steals the telegram, skype, and bitcoin wallet information stored on the target host and sends it to its C2 server.

Figure 8.2

Drop file - Wini.exe

One of the executables dropped is named wini.exe. This is a self extracting archive (sfx). An archive that has been combined with an executable module, allowing Windows users to extract the archive's files without a decompression program. Threat actors take advantage of this file type because it protects their malware with a password, which helps it evade sandboxes or emulation without it.

Figure 9 shows how the password prompt when executed without the password.

Figure 9

Digging into the loader autoit script, the code below is the actual command line and password that execute this sfx file.

Run("C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui")

Wini.exe will drop the RMS radmin tool name as “rfusclient.exe” and “rutserv.exe”. Then, to install this tool, it will also drop “install.vbs'' that will execute another drop file “install.bat” that will disable Windows Defender application, set the registries of the “Remote Manipulator System” (RMS) tool (“reg1.reg” and “reg2.reg”), execute the RMS server rutserver.exe and configure its services.

Figure 10 shows the registry written in reg1.reg files related to the RMS tool and Figure 11 which is the code of install.bat.

Figure 10

Figure 11

It will also drop another executable named “winit.exe”.  This is an autoit compiled binary responsible for gathering information on the compromised host like what AV was installed, OS version, video adapter and much more. After collecting the data, it will try to send it via SMTP or via email to a specific email and body format. It will also execute “del.bat” which will delete itself. 

Figures 12.1 and 12.2 show the code of this executable and how it builds the body of its email that will be sent to a specific email address.

Figure 12.1

Figure 12.2 Drop file - Cheat.exe

Both cheat.exe and wini.exe are sfx files that are password protected with the password "naxui". One of its drop files is the “P.exe” that will drop and execute “1.exe” which is a copy of WebBrowserPassView.exe tool. WebBrowserPassView.exe is a Nirsoft tool for parsing credentials like passwords in browsers. The other drop file of cheat.exe is the  “taskhost.exe” which will execute the “P.exe”, “R8.exe” and the “taskhostw.exe”. It will also install the “OpenCL.dll” component of Khronos OpenCl ICD loader that allows users to build applications against specific OpenCL implementations.

The taskhost.exe will also create a scheduled task as a persistence mechanism for its drop file “taskhostw.exe” and “winlogon.exe”. taskhost.exe will also download files from a specific FTP server (109.248.203.81), save them as c:\programdata\windowstask\temp.exe, decrypt them and execute it. Unfortunately, the FTP server is inaccessible as of writing.

Figure 13 shows how it sets up the connection to the FTP client and tries to parse the credentials in several URL links.

Figure 13

The “winlogon.exe” is another autoit compiled file that looks for scheduled tasks containing “KMSAutoNet”, “KMS” and “KMSAuto”. Figure 14 shows how to list all the scheduled tasks using the “/query list” command and look for it using regex.

Figure 14

Cheat.exe also drops another executable called “winlog.exe,” which then subsequently drops “winlogon.exe” in C:\ProgramData\Microsoft\Intel. C:\ProgramData\Microsoft\Intel\winlogon.exe is a PowerShell script converted to an executable file that will execute a PowerShell command to import the AppLocker policy drop by the actual loader name as “5.xml”.

Figure 15 shows the code snippet of the AppLocker rule policy that applies to deny actions on several antivirus products.

Figure 15

Below is the powershell command it uses to import this AppLocker policy.

“Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml”

The XML is well formatted and as soon as we import it to the AppLocker rule set, as seen in Figure 16, the antivirus products that try to have a deny action policy are seen clearly.

Figure 16

As mentioned by Grzegorz Tworek, Applocker cannot block nor log processes with NT AUTHORITY\SERVICE present in the token which most AV engines use for their prevention component. However, AV engines also include components that run with less privileges focused on alerting and notifying users about events identified by the engine. Azorult would only prevent these components from running using its dropped Applocker policy.

Finally, the last droped file is “R8.exe”, another SFX file, which will decompress “db.rar” that contains “install.vbs”, that will execute ”bat.bat” to create a hidden special user account name as “John”, enable RDP connections, execute “RDPWinst.exe” that enables Remote Desktop Host support and concurrent RDP sessions on reduced functionality systems, create local group user, set non-expiring password using “net accounts /maxpwage:unlimited”, set hidden attribute and delete itself. 

Figure 17 shows the code snippet of bat.bat file.

Figure 17

Detections

Below are the existing and new (STRT) detections developed to detect tactics and techniques of this malware.

Windows Applications Layer Protocol RMS Radmin Tool Namedpipe

This analytic identifies the use of default or publicly known named pipes used with RMX remote admin tool:

`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe") PipeName IN ("\\RManFUSServerNotify32", "\\RManFUSCallbackNotify32", "\\RMSPrint*") 
  | stats  min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessId PipeName Computer UserID
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)`
  | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`

 

Windows Gather Victim Network Info Through IP Check Web Services

This analytic identifies a process that tries to connect to known IP web services:

`sysmon` EventCode=22  QueryName IN ("*wtfismyip.com", "*checkip.amazonaws.com", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", 
  "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org",
  "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*") 
  |  stats  min(_time) as firstTime max(_time) as lastTime count by  Image ProcessId QueryName QueryStatus QueryResults Computer EventCode 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_gather_victim_network_info_through_ip_check_web_services_filter`

Windows Impair Defense Add XML AppLocker Rules

This analytic identifies a process that imports AppLocker XML rules using PowerShell commandlet:

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
  where (Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE) AND Processes.process="*Import-Module Applocker*" AND Processes.process="*Set-AppLockerPolicy *"  AND Processes.process="* -XMLPolicy *"
  by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)`
  | `windows_impair_defense_add_xml_applocker_rules_filter`

Windows Impair Defense Deny Security Software With AppLocker

This analytic identifies a modification in the Windows registry by the AppLocker application that contains details or registry data values related to denying the execution of several Security products:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\*" AND Registry.registry_path= "*}Machine\\Software\\Policies\\Microsoft\\Windows\\SrpV2*")
  OR Registry.registry_path="*\\Software\\Policies\\Microsoft\\Windows\\SrpV2*"
  AND Registry.registry_value_data = "*Action\=\"Deny\"*" 
  AND Registry.registry_value_data IN("*O=SYMANTEC*","*O=MCAFEE*","*O=KASPERSKY*","*O=BLEEPING COMPUTER*", "*O=PANDA SECURITY*","*O=SYSTWEAK SOFTWARE*", "*O=TREND MICRO*", "*O=AVAST*", "*O=GRIDINSOFT*", "*O=MICROSOFT*", "*O=NANO SECURITY*", "*O=SUPERANTISPYWARE.COM*", "*O=DOCTOR WEB*", "*O=MALWAREBYTES*", "*O=ESET*", "*O=AVIRA*", "*O=WEBROOT*")
  by  Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_impair_defense_deny_security_software_with_applocker_filter`

Windows Powershell Import AppLocker Policy

This analytic identifies a process that imports AppLocker XML rules using powershell commandlet:

`powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy *" ScriptBlockText="* -XMLPolicy *"
  | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_powershell_import_applocker_policy_filter`

Windows Remote Access Software RMS Registry

This analytic identifies a modification or creation of Windows registry related to Remote Manipulator System (RMS) Remote Admin tool:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\SYSTEM\\Remote Manipulator System*" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_remote_access_software_rms_registry_filter`

 

Windows Valid Account With Never Expires Password

This analytic identifies processes that update user account policies for password requirements with non-expiring password:

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
  where (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.original_file_name="net1.exe") 
  AND Processes.process="* accounts *" AND Processes.process="* /maxpwage:unlimited" 
  by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_valid_account_with_never_expires_password_filter`

Windows Modify Registry Disable Toast Notifications

This analytic detects a modification in the Windows registry to disable toast notifications:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" Registry.registry_value_data="0x00000000" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_modify_registry_disable_toast_notifications_filter`

Windows Modify Registry Disable Windows Security Center Notif

This analytic detects a modification in the Windows registry  to disable Windows center notifications:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" Registry.registry_value_data="0x00000000" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_modify_registry_disable_windows_security_center_notif_filter`

Windows Modify Registry Suppress Win Defender Notif

This analytic detects a modification in the Windows registry  to suppress Windows Defender notification:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\Windows Defender\\UX Configuration\\Notification_Suppress*" Registry.registry_value_data="0x00000001" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_modify_registry_suppress_win_defender_notif_filter`

 

Windows Remote Services Allow RDP in Firewall

This analytic detects a modification in the Windows firewall  to enable remote desktop protocol on a targeted machine:

| tstats `security_content_summariesonly` values(Processes.process) as cmdline
  values(Processes.parent_process_name) as parent_process values(Processes.process_name)
  count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
  where (Processes.process_name = "netsh.exe" OR Processes.original_file_name= "netsh.exe") AND Processes.process = "*firewall*" AND Processes.process = "*add*" AND Processes.process = "*protocol=TCP*" 
  AND Processes.process = "*localport=3389*" AND Processes.process = "*action=allow*"
  by Processes.dest Processes.user Processes.parent_process Processes.process_name
  Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_remote_services_allow_rdp_in_firewall_filter`

Windows Remote Services Allow Remote Assistance

This analytic identifies a modification in the Windows registry to enable remote desktop assistance on a targeted machine:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\Control\\Terminal Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_remote_services_allow_remote_assistance_filter`

Windows Remote Services RDP Enable

This analytic detects a modification in the Windows registry to enable remote desktop protocol on a targeted machine:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_remote_services_rdp_enable_filter` 

Windows Service Stop by Deletion

This analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service:

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
  where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process Processes.process_name
  Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_service_stop_by_deletion_filter` 

Windows Modify Registry Disable Win Defender Raw Write Notif

This analytic detects a modification in the Windows registry  to disable Windows Defender raw write notification feature:  

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\Windows Defender\\Real-Time Protection\\DisableRawWriteNotification*" Registry.registry_value_data="0x00000001" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`

Windows Modify Registry Disabling WER Settings

This analytic identifies a modification in the Windows registry  to disable Windows error reporting settings:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable*" Registry.registry_value_data="0x00000001" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_modify_registry_disabling_wer_settings_filter`

Windows Modify Registry DisAllow Windows App

This analytic detects a modification in the Windows registry  to prevent users running specific computer programs that could aid them in manually removing malware or detecting it using security products:

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry 
  where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" Registry.registry_value_data="0x00000001" 
  by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest 
  | `drop_dm_object_name(Registry)`
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 
  | `windows_modify_registry_disallow_windows_app_filter`


Windows Modify Registry Regedit Silent Reg Import

This analytic identifies possible modifications of Windows registry using regedit.exe application with silent mode parameter:

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
  where (Processes.process_name="regedit.exe" OR Processes.original_file_name="regedit.exe") 
  AND Processes.process="* /s *" AND Processes.process="*.reg*" 
  by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_modify_registry_regedit_silent_reg_import_filter`

Windows Remote Service RDPWinst Tool Execution

This analytic identifies the process of "RDPWInst.exe" tool which is a RDP wrapper library tool designed to enable remote  desktop host support and concurrent RDP session on reduced functionality:

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
  where (Processes.process_name="RDPWInst.exe" OR Processes.original_file_name="RDPWInst.exe") 
  AND Processes.process IN ("* -i*", "* -s*", "* -o*", "* -w*", "* -r*")
  by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 
  | `windows_remote_service_rdpwinst_tool_execution_filter`

 

Type Name Technique ID Tactic Description

TTP

Attempt To Stop Security Service

T1562.001

Defense Evasion

This search looks for attempts to stop security-related services on the endpoint.

TTP

CHCP Command Execution

T1059

Execution

This search is to detect the execution of chcp.exe application

Hunting

cmd_carry_out_string_command_parameter

T1059.003

Execution

This analytic identifies command-line arguments where cmd.exe /c is used to execute a program.

TTP

Create local admin accounts using net exe

T1136.001

Persistence

This search looks for the creation of local administrator accounts using net.exe

TTP

Detect Use of cmd exe to Launch Script Interpreters

T1059.003

Execution

This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe.

Anomaly

Excessive Attempt To Disable Services

T1489

Impact

This analytic will identify suspicious series of command-line to disable several services.

Anomaly

Excessive Usage Of Cacls App

T1222

Defense Evasion

This analytic identifies excessive usage of cacls.exe, xcacls.exe, or icacls.exe applications to change file or folder permission.

Anomaly

Excessive Usage Of Net App

T1531

Impact

This analytic identifies excessive usage of net.exe or net1.exe

Anomaly

Excessive Usage Of SC Service Utility

T1569.002

Execution

This search is to detect a suspicious excessive usage of sc.exe in a host machine. 

Anomaly

Excessive Usage Of Taskkill

T1562.001

Defense Evasion

This analytic identifies excessive usage of taskkill.exe application. 

TTP

Executables Or Script Creation In Suspicious Path

T1036

Defense Evasion

This analytic will identify suspicious executables or scripts (known file extensions) in a list of suspicious file paths in Windows.

Anomaly

Firewall Allowed Program Enable

T1562.004

Defense Evasion

This analytic detects a potential suspicious modification of firewall rule allowing to execution of specific applications.

TTP

Hide User Account From Sign-In Screen

T1562.001

Defense Evasion

This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen.

TTP

Hiding Files And Directories With Attrib exe

T1222.001

Defense Evasion

Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file.

TTP

Icacls Deny Command

T1222

Defense Evasion

This analytic identifies a potential adversary that changes the security permission of a specific file or directory.

Hunting

Net Localgroup Discovery

T1069.001

Discovery

This hunting analytic will identify the use of localgroup discovery using net localgroup

Hunting

Network Connection Discovery With Net

T1049

Discovery

This analytic looks for the execution of net.exe with command-line arguments utilized to get a listing of network connections on a compromised system.

TTP

Processes launching netsh

T1562.004

Defense Evasion

This search looks for processes launching netsh.exe.

TTP

Sc exe Manipulating Windows Services

T1543.003

Privilege Escalation

This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.

TTP

Scheduled Task Deleted Or Created via CMD

T1053.005

Execution, Persistence, Privilege Escalation

This analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. 

Anomaly

Suspicious Scheduled Task from Public Directory

T1053.005

Execution, Persistence, Privilege Escalation

This detection identifies Scheduled Tasks registering (creating a new task) a binary or script to run from a public directory which includes users\public, \programdata\ and \windows\temp

TTP

Allow Operation with Consent Admin

T1548

Execution, Persistence, Privilege Escalation

This registry modification is designed to allow the Consent Admin to perform an operation that requires elevation without consent or credentials.

TTP

Disable Defender Submit Samples Consent Feature

T1562.001

Defense Evasion

This analytic is to detect a suspicious modification of the registry to disable Windows Defender feature.

TTP

Disabling Remote User Account Control

T1548.002

Defense Evasion, Privilege Escalation

The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).

TTP

Windows DisableAntiSpyware Registry

T1562.001

Defense Evasion

The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints.

TTP

Disable Show Hidden Files

T1564.001
T1562.001

Defense Evasion

This analytic identifies a modification in the Windows registry to prevent users from seeing all the files with hidden attributes.

Anomaly

Non Firefox Process Access Firefox Profile Dir

T1555.003

Credential Access

This search is to detect an anomaly event of a non-firefox process accessing the files in the profile folder.

TTP

Registry Keys Used For Persistence

T1547.001

Persistence, Privilege Escalation

The search looks for modifications to registry keys that can be used to launch an application or service at system startup.

TTP

Windows Defender Exclusion Registry Entry

T1562.001

Defense Evasion

This analytic will detect a suspicious process that modifies a registry related to Windows Defender exclusion feature.

TTP

Disable Defender BlockAtFirstSeen Feature

T1562.001

Defense Evasion

This analytic is to detect a suspicious modification of the registry to disable Windows Defender feature. 

TTP

Disable Defender Enhanced Notification

T1562.001

Defense Evasion

This technique is to bypass or evade detection from Windows Defender AV product specially the Enhanced Notification feature where user or admin set to show or display alerts.

TTP

Disable Defender Spynet Reporting

T1562.001

Defense Evasion

This technique is to bypass or evade detection from Windows Defender AV products, especially the spynet reporting for its telemetry.

Anomaly

Windows Modify Registry Disable Toast Notifications (New)

T1112

Defense Evasion

This analytic is to identify a modification in the Windows registry

  to disable toast notifications.

Anomaly

Windows Modify Registry Disable Windows Security Center Notif (new)

T1112

Defense Evasion

This analytic identifies a modification in the Windows registry

  to disable Windows center notifications.

Anomaly

Windows Modify Registry Suppress Win Defender Notif (New)

T1112

Defense Evasion

This analytic identifies a modification in the Windows registry

  to suppress Windows Defender notification.

Anomaly

Windows Remote Services Allow Rdp In Firewall (New)

T1021.001

Lateral Movement

This analytic detects a modification in the Windows firewall

  to enable remote desktop protocol on a targeted machine.

Anomaly

Windows Remote Services Allow Remote Assistance (new)

T1021.001

Lateral Movement

This analytic identifies  modifications in the Windows registry

  to enable remote desktop assistance on a targeted machine.

TTP

Windows Service Stop By Deletion(New)

T1489

Impact

This analytic identifies Windows Service Control, `sc.exe`,

  attempting to delete a service.

TTP

Windows Remote Services RDP Enable (new)

T1021.001

Lateral Movement

This analytic detects modifications in the Windows registry

  to enable remote desktop protocol on a targeted machine.

TTP

Windows Application Layer Protocol RMS Radmin Tool Namedpipe(New)

T1071

Command and Control

This analytic identifies the use of default or publicly known named pipes used with RMX remote admin tool. 

TTP

Allow Inbound Traffic By Firewall Rule Registry(Modiffied)

T1021.001

Lateral Movement

This analytic detects a potential suspicious modification of firewall

  rule registry allowing inbound traffic in specific ports with a public profile.

Hunting

Windows Gather Victim Network Info Through Ip Check Web Services (new)

T1590.005

Reconnaissance

This analytic identifies a process that  tries to connect to known IP web services.


Hunting

Windows Impair Defense Add Xml AppLocker Rules(New)

T1562.001

Defense Evasion

This analytic identifies a process that imports AppLocker xml rules using powershell commandlet.

TTP

Windows Impair Defense Deny Security Software With AppLocker(New)

T1562.001

Defense Evasion

This analytic identifies a modification in the Windows registry

  by the AppLocker application that contains details or registry data values related to denying the execution of several Security products. 

TTP

Windows Powershell Import AppLocker Policy(New)

T1562.001

Defense Evasion

This analytic detects a process that imports AppLocker xml rules using powershell commandlet.

TTP

Windows Remote Access Software RMS Registry(New)

T1219

Command and Control

This analytic identifies modification or creation of Windows registry 

  related to the Remote Manipulator System (RMS) Remote Admin tool.

TTP

Windows Valid Account With Never Expires Password(New)

T1489

Impact

This analytic identifies processes that update user account policies for password requirements with a non-expiring password.

Anomaly

Windows Modify Registry Disable Win Defender Raw Write Notif(New)

T1112

Defense Evasion

This analytic identifies a modification in the Windows registry

  to disable Windows Defender raw write notification feature.

TTP

Windows Modify Registry Disabling WER Settings(New)

T1112

Defense Evasion

This analytic detects a modification in the Windows registry

  to disable Windows error reporting settings.

 

Windows Modify Registry DisAllow Windows App(New)

T1112

Defense Evasion

This analytic looks for a modification in the Windows registry

  to prevent users from running specific computer programs that could aid them in manually removing malware or detecting it   using security products.

TTP

Windows Modify Registry Regedit Silent Reg Import(New)

T1112

Defense Evasion

This analytic looks for possible modification of Windows registry 

  using regedit.exe application with silent mode parameter.

TTP

Windows Remote Service RDPWinst Tool Execution(new)

T1021.001

Lateral Movement

This analytic identifies process of "RDPWInst.exe" tool which is a rdp wrapper library tool designed to enable remote 

  desktop host support and concurrent rdp session on reduced functionality system.

 

IOC

 

filename: 5.xml

sha256: 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5

filename: cheat.exe

sha256: b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2

filename: clean.bat

sha256: 1134b862f4d0ce10466742beb334c06c2386e85acad72725ddb1cecb1871b312

filename: db.rar

sha256: 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

filename: h.bat

sha256: a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549

filename: ink.exe

sha256: 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040

filename: Install cheat 1_7.bin

sha256: dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

filename: P.exe

sha256: 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b

filename: R8.exe

sha256: 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd

filename: taskhost.exe

sha256: 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

filename: temp.bat

sha256: ccf47d036ccfe0c8d0fe2854d14ca21d99be5fa11d0fbb16edcc1d6c10de3512

filename: wini.exe

sha256: 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

filename: winlog.exe

sha256: 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724

filename: cheat_exe\P\1.exe

sha256: 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2

filename: cheat_exe\R8\db.rar

sha256: 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432

filename: cheat_exe\R8\pause.bat

sha256: 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba

filename: cheat_exe\R8\Rar.exe

sha256: 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8

filename: cheat_exe\R8\run.vbs

sha256: c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe

filename: cheat_exe\taskhost\opencl.dll

sha256: 7cc0d32b00f4596bf0a193f9929e6c628bc1b9354678327f59db0bd516a0dd6b

filename: cheat_exe\taskhost\taskhostw.exe

sha256: 00cb457c1bf203fdb75da2cb0ba517d177ea5decc071f27f6a5ba3ee7d30da93

filename: cheat_exe\taskhost\taskhostw\winlogon.exe

sha256: 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

filename: cheat_exe\winlog\winlogon.exe

sha256: dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

filename: wini_exe\install.bat

sha256: e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

filename: wini_exe\install.vbs

sha256: cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

filename: wini_exe\reg1.reg

sha256: 7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544

filename: wini_exe\reg2.reg

sha256: 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

filename: wini_exe\rfusclient.exe

sha256: dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

filename: wini_exe\rutserv.exe

sha256: 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

filename: wini_exe\vp8decoder.dll

sha256: 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

filename: wini_exe\vp8encoder.dll

sha256: 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

filename: wini_exe\winit.exe

sha256: e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

filename: wini_exe\winit\del.bat

sha256: e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

 

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

 

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

 


Credit to author Teoderick Contreras and collaborators Rod Soto, Jose Hernandez, Patrick Bareiss, Lou Stella, Bhavin Patel, Michael Haag, Mauricio Velazco and Eric McGinnis.

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content