# AppLocker Rules as Defense Evasion: Complete Analysis **[splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html](https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html)** By [Splunk Threat Research Team August 25, 2022](https://www.splunk.com/en_us/blog/author/secmrkt-research.html) August 25, 2022 Microsoft continues to develop, update and improve features to monitor and prevent the execution of [malicious code on the Windows opearting system. One of these features is AppLocker. This feature advances](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) the functionality of software restriction policies and enables administrators to create rules to allow or deny applications from running based on their unique identities (e.g., files) and to specify which users or groups can run those applications. ----- AppLocker has the ability to control the execution of executables ( .exe and .com ), scripts ( .js, ps1, “vbs”, “.cmd” and “.bat”), windows installer (“.msi, “.mst”, “.msp”), dll modules, packaged apps, and app installer. This software restriction policy may be abused by adversaries, like the “Azorult loader,” a payload that imports its own AppLocker policy to deny the execution of several antivirus components as part of its defense evasion. In this blog, the Splunk Threat Research Team will do a deep dive analysis on “Azorult loader” and its several components to understand tactics and techniques that may help SOC analysts and blue teamers defend against these types of threats. _[(For a larger resolution of this diagram visit this link)](https://imgur.com/a/a3Hhd2O)_ ## Azorult Loader Azorult loader is a classic “Trojan Horse” that contains several components including the Azorult malware [itself and additional embedded files to enable remote access and data collection. This loader is an autoit](https://en.wikipedia.org/wiki/AutoIt) compiled executable that contains a self-extracting stream in its resource sections along with several files. ### Defense Evasion Azorult implements a hardcoded sandbox evasion checklist: It looks for specific usernames, files on the desktop, hostnames and processes running on the targeted host. If identified, it will exit. It will also terminate its execution if the OS version of the compromised host is “winxp”. **Username** **Computername** **Files in Desktop** **Processes** ----- Peter Wilson Acme BOBSPC Johnson John John Doe Rivest mw me sys Apiary STRAZNJICA.GRUBUTT Phil Customer shimamu RALPHS-PC ABC-WIN7 man-PC luser-PC Klone-PC tpt-PC BOBSPC WillCarter-PC PETER-PC David-PC ART-PC TOM-PC @DesktopDir +\secret.txt @DesktopDir + \my.txt @DesktopDir +\report.odt @DesktopDir +\report.rtf @DesktopDir + \Incidents.pptx Joeboxcontrol.exe Joeboxserver.exe Frida-winjector-helper32.exe analyzer.exe If the “msseces.exe” process is running, it will try to uninstall the “Microsoft Security Client” by using the wmic.exe command shown below. ``` C:\Windows\System32\wbem\wmic.exe product where name="Microsoft Security Client" call uninstall /nointeractive ``` It will also disable several registry keys related to the Windows Defender application feature and other AV products to evade their detections. Figures 1.1 and 1.2 shows screenshots of the autoit script code that modifies those registry values. _Figure 1.1_ ----- _Figure 1.2_ It will also try to stop, delete and even modify the configuration of some services as part of its execution and disable antivirus products. Figure 2 shows the code list of those services. _Figure 2_ It will attempt to block SMB ports (445, 139 and update the firewall configuration to allow its dropped malicious files to perform network connections. Figure 3 shows the netsh command that modifies firewall rules. _Figure 3_ Using the attrib and icacls Windows binaries, it will set the hidden attribute and a deny permission access on several AV product installation root folders like what we see in Figures 4 and 5. ----- _Figure 4_ _Figure 5_ ### First Stage Drop Files The loader will drop files as seen in Figure 6. The “temp.bat” is a cleanup batch file that will delete some of the dropped files and add a hidden attribute on the created directory C:\Programdata\Windows. The “clean.bat” is responsible for killing malwarebytes “mbamservice.exe” process, stopping or deleting more services related to AV products and coin miners like “MinerGate”. _Figure 6_ ----- The H.bat is responsible for blocking AV, coin miner and some GitHub websites by redirecting it to the local host IP address of the compromised host by adding an entry to the “%SystemRoot%\System32\drivers\etc\hosts”. Figure 7 shows some of the url links it tries to block and how it adds the entry to the hosts file. _Figure 7_ The file “5.xml” is one of the most interesting parts of this malware. It contains AppLocker rules designed for defense evasion. This paper will explore the topic further specifically when we break down the components that try to import this rule. The “ink.exe” is the actual Azorult malware. Figure 8.1 shows the strings command used to parse the browser database to collect sensitive information like credentials. _Figure 8.1_ Figure 8.2 shows how it parses and steals the telegram, skype, and bitcoin wallet information stored on the target host and sends it to its C2 server. ----- _Figure 8.2_ ### Drop file - Wini.exe One of the executables dropped is named wini.exe. This is a self extracting archive (sfx). An archive that has been combined with an executable module, allowing Windows users to extract the archive's files without a decompression program. Threat actors take advantage of this file type because it protects their malware with a password, which helps it evade sandboxes or emulation without it. Figure 9 shows how the password prompt when executed without the password. ----- _Figure 9_ Digging into the loader autoit script, the code below is the actual command line and password that execute this sfx file. ``` Run("C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui") ``` Wini.exe will drop the RMS radmin tool name as “rfusclient.exe” and “rutserv.exe”. Then, to install this tool, it will also drop “install.vbs'' that will execute another drop file “install.bat” that will disable Windows Defender application, set the registries of the “Remote Manipulator System” (RMS) tool (“reg1.reg” and “reg2.reg”), execute the RMS server rutserver.exe and configure its services. Figure 10 shows the registry written in reg1.reg files related to the RMS tool and Figure 11 which is the code of install.bat. ----- _Figure 10_ _Figure 11_ It will also drop another executable named “winit.exe”. This is an autoit compiled binary responsible for gathering information on the compromised host like what AV was installed, OS version, video adapter and much more. After collecting the data, it will try to send it via SMTP or via email to a specific email and body format. It will also execute “del.bat” which will delete itself. Figures 12.1 and 12.2 show the code of this executable and how it builds the body of its email that will be sent to a specific email address. ----- _Figure 12.1_ _Figure 12.2 Drop file - Cheat.exe_ ----- Both cheat.exe and wini.exe are sfx files that are password protected with the password naxui . One of its drop files is the “P.exe” that will drop and execute “1.exe” which is a copy of WebBrowserPassView.exe tool. WebBrowserPassView.exe is a Nirsoft tool for parsing credentials like passwords in browsers. The other drop file of cheat.exe is the “taskhost.exe” which will execute the “P.exe”, “R8.exe” and the “taskhostw.exe”. It will also install the “OpenCL.dll” component of Khronos OpenCl ICD loader that allows users to build applications against specific OpenCL implementations. The taskhost.exe will also create a scheduled task as a persistence mechanism for its drop file “taskhostw.exe” and “winlogon.exe”. taskhost.exe will also download files from a specific FTP server (109.248.203.81), save them as c:\programdata\windowstask\temp.exe, decrypt them and execute it. Unfortunately, the FTP server is inaccessible as of writing. Figure 13 shows how it sets up the connection to the FTP client and tries to parse the credentials in several URL links. _Figure 13_ The “winlogon.exe” is another autoit compiled file that looks for scheduled tasks containing “KMSAutoNet”, “KMS” and “KMSAuto”. Figure 14 shows how to list all the scheduled tasks using the “/query list” command and look for it using regex. ----- _Figure 14_ Cheat.exe also drops another executable called “winlog.exe,” which then subsequently drops “winlogon.exe” in C:\ProgramData\Microsoft\Intel. C:\ProgramData\Microsoft\Intel\winlogon.exe is a PowerShell script converted to an executable file that will execute a PowerShell command to import the AppLocker policy drop by the actual loader name as “5.xml”. Figure 15 shows the code snippet of the AppLocker rule policy that applies to deny actions on several antivirus products. _Figure 15_ Below is the powershell command it uses to import this AppLocker policy. ``` “Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml” ``` ----- The XML is well formatted and as soon as we import it to the AppLocker rule set, as seen in Figure 16, the antivirus products that try to have a deny action policy are seen clearly. _Figure 16_ [As mentioned by Grzegorz Tworek, Applocker cannot block nor log processes with NT](https://twitter.com/0gtweet) AUTHORITY\SERVICE present in the token which most AV engines use for their prevention component. However, AV engines also include components that run with less privileges focused on alerting and notifying users about events identified by the engine. Azorult would only prevent these components from running using its dropped Applocker policy. Finally, the last droped file is “R8.exe”, another SFX file, which will decompress “db.rar” that contains “install.vbs”, that will execute ”bat.bat” to create a hidden special user account name as “John”, enable RDP connections, execute “RDPWinst.exe” that enables Remote Desktop Host support and concurrent RDP sessions on reduced functionality systems, create local group user, set non-expiring password using “net accounts /maxpwage:unlimited”, set hidden attribute and delete itself. Figure 17 shows the code snippet of bat.bat file. ----- _Figure 17_ ## Detections Below are the existing and new (STRT) detections developed to detect tactics and techniques of this malware. ### Windows Applications Layer Protocol RMS Radmin Tool Namedpipe This analytic identifies the use of default or publicly known named pipes used with RMX remote admin tool: ``` `sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe") PipeName IN ("\\RManFUSServerNotify32", "\\RManFUSCallbackNotify32", "\\RMSPrint*") | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessId PipeName Computer UserID | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter` ``` ----- ### Windows Gather Victim Network Info Through IP Check Web Services This analytic identifies a process that tries to connect to known IP web services: ``` `sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.amazonaws.com", "*ipecho.net", "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults Computer EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter` ### Windows Impair Defense Add XML AppLocker Rules ``` This analytic identifies a process that imports AppLocker XML rules using PowerShell commandlet: ``` | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsps.exe OR Processes.process_name=powershell.exe OR Processes.process_name=powershell_ise.exe OR Processes.original_file_name=pwsh.dll OR Processes.original_file_name=PowerShell.EXE OR Processes.original_file_name=powershell_ise.EXE) AND Processes.process="*Import-Module Applocker*" AND Processes.process="*Set-AppLockerPolicy *" AND Processes.process="* -XMLPolicy *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_add_xml_applocker_rules_filter` ``` ----- ### Windows Impair Defense Deny Security Software With AppLocker This analytic identifies a modification in the Windows registry by the AppLocker application that contains details or registry data values related to denying the execution of several Security products: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\*" AND Registry.registry_path= "*}Machine\\Software\\Policies\\Microsoft\\Windows\\SrpV2*") OR Registry.registry_path="*\\Software\\Policies\\Microsoft\\Windows\\SrpV2*" AND Registry.registry_value_data = "*Action\=\"Deny\"*" AND Registry.registry_value_data IN("*O=SYMANTEC*","*O=MCAFEE*","*O=KASPERSKY*","*O=BLEEPING COMPUTER*", "*O=PANDA SECURITY*","*O=SYSTWEAK SOFTWARE*", "*O=TREND MICRO*", "*O=AVAST*", "*O=GRIDINSOFT*", "*O=MICROSOFT*", "*O=NANO SECURITY*", "*O=SUPERANTISPYWARE.COM*", "*O=DOCTOR WEB*", "*O=MALWAREBYTES*", "*O=ESET*", "*O=AVIRA*", "*O=WEBROOT*") by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_impair_defense_deny_security_software_with_applocker_filter` ### Windows Powershell Import AppLocker Policy ``` This analytic identifies a process that imports AppLocker XML rules using powershell commandlet: ``` `powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*SetAppLockerPolicy *" ScriptBlockText="* -XMLPolicy *" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_import_applocker_policy_filter` ``` ----- ### Windows Remote Access Software RMS Registry This analytic identifies a modification or creation of Windows registry related to Remote Manipulator System (RMS) Remote Admin tool: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote Manipulator System*" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter` ``` ----- ### Windows Valid Account With Never Expires Password This analytic identifies processes that update user account policies for password requirements with nonexpiring password: ``` | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="net.exe" OR Processes.original_file_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.original_file_name="net1.exe") AND Processes.process="* accounts *" AND Processes.process="* /maxpwage:unlimited" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_valid_account_with_never_expires_password_filter` ### Windows Modify Registry Disable Toast Notifications ``` This analytic detects a modification in the Windows registry to disable toast notifications: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_toast_notifications_filter` ``` ----- ### Windows Modify Registry Disable Windows Security Center Notif This analytic detects a modification in the Windows registry to disable Windows center notifications: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_windows_security_center_notif_filter` ### Windows Modify Registry Suppress Win Defender Notif ``` This analytic detects a modification in the Windows registry to suppress Windows Defender notification: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\UX Configuration\\Notification_Suppress*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows modify registry suppress win defender notif filter` ``` ----- ### Windows Remote Services Allow RDP in Firewall This analytic detects a modification in the Windows firewall to enable remote desktop protocol on a targeted machine: ``` | tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "netsh.exe" OR Processes.original_file_name= "netsh.exe") AND Processes.process = "*firewall*" AND Processes.process = "*add*" AND Processes.process = "*protocol=TCP*" AND Processes.process = "*localport=3389*" AND Processes.process = "*action=allow*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_rdp_in_firewall_filter` ### Windows Remote Services Allow Remote Assistance ``` This analytic identifies a modification in the Windows registry to enable remote desktop assistance on a targeted machine: ----- ``` | y_ _ y (_ ) (_ ) datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter` ### Windows Remote Services RDP Enable ``` This analytic detects a modification in the Windows registry to enable remote desktop protocol on a targeted machine: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter` ``` ----- ### Windows Service Stop by Deletion This analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service: ``` | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process="* delete *" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_service_stop_by_deletion_filter` ### Windows Modify Registry Disable Win Defender Raw Write Notif ``` This analytic detects a modification in the Windows registry to disable Windows Defender raw write notification feature: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Windows Defender\\Real-Time Protection\\DisableRawWriteNotification*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disable_win_defender_raw_write_notif_filter` ``` ----- ### Windows Modify Registry Disabling WER Settings This analytic identifies a modification in the Windows registry to disable Windows error reporting settings: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\disable*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disabling_wer_settings_filter` ### Windows Modify Registry DisAllow Windows App ``` This analytic detects a modification in the Windows registry to prevent users running specific computer programs that could aid them in manually removing malware or detecting it using security products: ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun*" Registry.registry_value_data="0x00000001" by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_disallow_windows_app_filter` ``` ----- ### Windows Modify Registry Regedit Silent Reg Import This analytic identifies possible modifications of Windows registry using regedit.exe application with silent mode parameter: ``` | tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="regedit.exe" OR Processes.original_file_name="regedit.exe") AND Processes.process="* /s *" AND Processes.process="*.reg*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_modify_registry_regedit_silent_reg_import_filter` ### Windows Remote Service RDPWinst Tool Execution ``` This analytic identifies the process of "RDPWInst.exe" tool which is a RDP wrapper library tool designed to enable remote desktop host support and concurrent RDP session on reduced functionality: ----- ``` | y_ _ y ( p ) p (_ ) firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="RDPWInst.exe" OR Processes.original_file_name="RDPWInst.exe") AND Processes.process IN ("* -i*", "* -s*", "* -o*", "* -w*", "* -r*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_service_rdpwinst_tool_execution_filter` ``` **Type** **Name** **Technique** **ID** **Tactic** **Description** TTP [Attempt To Stop Security Service](https://research.splunk.com/endpoint/attempt_to_stop_security_service/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion This search looks for attempts to stop security-related services on the endpoint. TTP [CHCP Command Execution](https://research.splunk.com/endpoint/chcp_command_execution/) [T1059](https://attack.mitre.org/techniques/T1059/) [Execution](https://attack.mitre.org/tactics/TA0002) This search is to detect the execution of chcp.exe application Hunting [cmd_carry_out_string_command_parameter](https://research.splunk.com/endpoint/cmd_carry_out_string_command_parameter/) [T1059.003](https://attack.mitre.org/techniques/T1059/003/) [Execution](https://attack.mitre.org/tactics/TA0002) This analytic identifies commandline arguments where cmd.exe /c is used to execute a program. TTP [Create local admin accounts using net exe](https://research.splunk.com/endpoint/create_local_admin_accounts_using_net_exe/) [T1136.001](https://attack.mitre.org/techniques/T1136/001/) Persistence This search looks for the creation of local administrator accounts using net.exe ----- TTP Detect Use of cmd exe to Launch Script Interpreters [T1059.003](https://attack.mitre.org/techniques/T1059/003/) [Execution](https://attack.mitre.org/tactics/TA0002) This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. Anomaly [Excessive Attempt To Disable Services](https://research.splunk.com/endpoint/excessive_attempt_to_disable_services/) [T1489](https://attack.mitre.org/techniques/T1489/) [Impact](https://attack.mitre.org/tactics/TA0040) This analytic will identify suspicious series of commandline to disable several services. Anomaly [Excessive Usage Of Cacls App](https://research.splunk.com/endpoint/excessive_usage_of_cacls_app/) [T1222](https://attack.mitre.org/techniques/T1222/) Defense Evasion This analytic identifies excessive usage of cacls.exe, xcacls.exe, or icacls.exe applications to change file or folder permission. Anomaly [Excessive Usage Of Net App](https://research.splunk.com/endpoint/excessive_usage_of_net_app/) [T1531](https://attack.mitre.org/techniques/T1531/) [Impact](https://attack.mitre.org/tactics/TA0040) This analytic identifies excessive usage of net.exe or net1.exe Anomaly [Excessive Usage Of SC Service Utility](https://research.splunk.com/endpoint/excessive_usage_of_sc_service_utility/) [T1569.002](https://attack.mitre.org/techniques/T1569/002/) [Execution](https://attack.mitre.org/tactics/TA0002) This search is to detect a suspicious excessive usage of sc.exe in a host machine. Anomaly [Excessive Usage Of Taskkill](https://research.splunk.com/endpoint/excessive_usage_of_taskkill/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion TTP Executables Or Script Creation In Suspicious Path [T1036](https://attack.mitre.org/techniques/T1036/) Defense Evasion This analytic identifies excessive usage of taskkill.exe application. This analytic will identify suspicious executables or scripts (known file extensions) in a list of suspicious file paths in Windows. ----- Anomaly [Firewall Allowed Program Enable](https://research.splunk.com/endpoint/firewall_allowed_program_enable/) [T1562.004](https://attack.mitre.org/techniques/T1562/004/) Defense Evasion TTP [Hide User Account From Sign-In Screen](https://research.splunk.com/endpoint/hide_user_account_from_sign-in_screen/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion TTP [Hiding Files And Directories With Attrib exe](https://research.splunk.com/endpoint/hiding_files_and_directories_with_attrib_exe/) [T1222.001](https://attack.mitre.org/techniques/T1222/001/) Defense Evasion TTP [Icacls Deny Command](https://research.splunk.com/endpoint/icacls_deny_command/) [T1222](https://attack.mitre.org/techniques/T1222/) Defense Evasion This analytic detects a potential suspicious modification of firewall rule allowing to execution of specific applications. This analytic identifies a suspicious registry modification to hide a user account on the Windows Login screen. Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. This analytic identifies a potential adversary that changes the security permission of a specific file or directory. Hunting [Net Localgroup Discovery](https://research.splunk.com/endpoint/net_localgroup_discovery/) [T1069.001](https://attack.mitre.org/techniques/T1069/001/) [Discovery](https://attack.mitre.org/tactics/TA0007) This hunting analytic will identify the use of localgroup discovery using net localgroup Hunting [Network Connection Discovery With Net](https://research.splunk.com/endpoint/network_connection_discovery_with_net/) [T1049](https://attack.mitre.org/techniques/T1049/) [Discovery](https://attack.mitre.org/tactics/TA0007) This analytic looks for the execution of net.exe with command-line arguments utilized to get a listing of network connections on a compromised system. ----- TTP [Processes launching netsh](https://research.splunk.com/endpoint/processes_launching_netsh/) [T1562.004](https://attack.mitre.org/techniques/T1562/004/) Defense Evasion TTP [Sc exe Manipulating Windows Services](https://research.splunk.com/endpoint/sc_exe_manipulating_windows_services/) [T1543.003](https://attack.mitre.org/techniques/T1543/003/) Privilege Escalation TTP Scheduled Task Deleted Or Created via CMD Anomaly Suspicious Scheduled Task from Public Directory [T1053.005](https://attack.mitre.org/techniques/T1053/005/) Execution, Persistence, Privilege Escalation [T1053.005](https://attack.mitre.org/techniques/T1053/005/) Execution, Persistence, Privilege Escalation This search looks for processes launching netsh.exe. This search looks for arguments to sc.exe indicating the creation or modification of a Windows service. This analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line. This detection identifies Scheduled Tasks registering (creating a new task) a binary or script to run from a public directory which includes users\public, \programdata\ and \windows\temp This registry modification is designed to allow the Consent Admin to perform an operation that requires elevation without consent or credentials. This analytic is to detect a suspicious modification of the registry to disable Windows Defender feature. TTP [Allow Operation with Consent Admin](https://research.splunk.com/endpoint/allow_operation_with_consent_admin/) [T1548](https://attack.mitre.org/techniques/T1548/) Execution, Persistence, Privilege Escalation TTP Disable Defender Submit Samples Consent Feature [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion ----- TTP [Disabling Remote User Account Control](https://research.splunk.com/endpoint/disabling_remote_user_account_control/) [T1548.002](https://attack.mitre.org/techniques/T1548/002/) Defense Evasion, Privilege Escalation TTP [Windows DisableAntiSpyware Registry](https://research.splunk.com/endpoint/windows_disableantispyware_registry/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion TTP [Disable Show Hidden Files](https://research.splunk.com/endpoint/disable_show_hidden_files/) [T1564.001](https://attack.mitre.org/techniques/T1564/001/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion Anomaly Non Firefox Process Access Firefox Profile Dir [T1555.003](https://attack.mitre.org/techniques/T1555/003/) Credential Access TTP [Registry Keys Used For Persistence](https://research.splunk.com/endpoint/registry_keys_used_for_persistence/) [T1547.001](https://attack.mitre.org/techniques/T1547/001/) Persistence, Privilege Escalation TTP [Windows Defender Exclusion Registry Entry](https://research.splunk.com/endpoint/windows_defender_exclusion_registry_entry/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC). The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints. This analytic identifies a modification in the Windows registry to prevent users from seeing all the files with hidden attributes. This search is to detect an anomaly event of a nonfirefox process accessing the files in the profile folder. The search looks for modifications to registry keys that can be used to launch an application or service at system startup. This analytic will detect a suspicious process that modifies a registry related to Windows Defender exclusion feature. ----- TTP [Disable Defender BlockAtFirstSeen Feature](https://research.splunk.com/endpoint/disable_defender_blockatfirstseen_feature/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion TTP [Disable Defender Enhanced Notification](https://research.splunk.com/endpoint/disable_defender_enhanced_notification/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion TTP [Disable Defender Spynet Reporting](https://research.splunk.com/endpoint/disable_defender_spynet_reporting/) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion Anomaly Windows Modify Registry Disable Toast Notifications (New) Anomaly Windows Modify Registry Disable Windows Security Center Notif (new) Anomaly Windows Modify Registry Suppress Win Defender Notif (New) [T1112](https://attack.mitre.org/techniques/T1112/) Defense Evasion [T1112](https://attack.mitre.org/techniques/T1112/) Defense Evasion [T1112](https://attack.mitre.org/techniques/T1112/) Defense Evasion This analytic is to detect a suspicious modification of the registry to disable Windows Defender feature. This technique is to bypass or evade detection from Windows Defender AV product specially the Enhanced Notification feature where user or admin set to show or display alerts. This technique is to bypass or evade detection from Windows Defender AV products, especially the spynet reporting for its telemetry. This analytic is to identify a modification in the Windows registry to disable toast notifications. This analytic identifies a modification in the Windows registry to disable Windows center notifications. This analytic identifies a modification in the Windows registry to suppress Windows Defender notification. ----- Anomaly Windows Remote Services Allow Rdp In Firewall (New) Anomaly Windows Remote Services Allow Remote Assistance (new) [T1021.001](https://attack.mitre.org/techniques/T1021/001/) Lateral Movement [T1021.001](https://attack.mitre.org/techniques/T1021/001/) Lateral Movement This analytic detects a modification in the Windows firewall to enable remote desktop protocol on a targeted machine. This analytic identifies modifications in the Windows registry to enable remote desktop assistance on a targeted machine. TTP [Windows Service Stop By Deletion(New)](https://research.splunk.com/endpoint/196ff536-58d9-4d1b-9686-b176b04e430b/) [T1489](https://attack.mitre.org/techniques/T1489/) [Impact](https://attack.mitre.org/tactics/TA0040) This analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service. TTP [Windows Remote Services RDP Enable](https://research.splunk.com/endpoint/8fbd2e88-4ea5-40b9-9217-fd0855e08cc0/) (new) TTP Windows Application Layer Protocol RMS Radmin Tool Namedpipe(New) TTP Allow Inbound Traffic By Firewall Rule Registry(Modiffied) [T1021.001](https://attack.mitre.org/techniques/T1021/001/) Lateral Movement [T1071](https://attack.mitre.org/techniques/T1071/) Command and Control [T1021.001](https://attack.mitre.org/techniques/T1021/001/) Lateral Movement This analytic detects modifications in the Windows registry to enable remote desktop protocol on a targeted machine. This analytic identifies the use of default or publicly known named pipes used with RMX remote admin tool. This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific ports with a public profile. ----- Hunting Windows Gather Victim Network Info Through Ip Check Web Services (new) Hunting Windows Impair Defense Add Xml AppLocker Rules(New) TTP Windows Impair Defense Deny Security Software With AppLocker(New) TTP Windows Powershell Import AppLocker Policy(New) TTP Windows Remote Access Software RMS Registry(New) [T1590.005](https://attack.mitre.org/techniques/T1590/005/) [Reconnaissance](https://attack.mitre.org/tactics/TA0043) This analytic identifies a process that tries to connect to known IP web services. [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion [T1219](https://attack.mitre.org/techniques/T1219/) Command and Control This analytic identifies a process that imports AppLocker xml rules using powershell commandlet. This analytic identifies a modification in the Windows registry by the AppLocker application that contains details or registry data values related to denying the execution of several Security products. This analytic detects a process that imports AppLocker xml rules using powershell commandlet. This analytic identifies modification or creation of Windows registry related to the Remote Manipulator System (RMS) Remote Admin tool. ----- TTP Windows Valid Account With Never Expires Password(New) Anomaly Windows Modify Registry Disable Win Defender Raw Write Notif(New) TTP Windows Modify Registry Disabling WER Settings(New) Windows Modify Registry DisAllow Windows App(New) TTP Windows Modify Registry Regedit Silent Reg Import(New) [T1489](https://attack.mitre.org/techniques/T1489/) [Impact](https://attack.mitre.org/tactics/TA0040) This analytic identifies processes that update user account policies for password requirements with a non-expiring password. [T1112](https://attack.mitre.org/techniques/T1112/) Defense Evasion [T1112](https://attack.mitre.org/techniques/T1112/) Defense Evasion [T1112](https://attack.mitre.org/techniques/T1112/) Defense Evasion [T1112](https://attack.mitre.org/techniques/T1112/) Defense Evasion This analytic identifies a modification in the Windows registry to disable Windows Defender raw write notification feature. This analytic detects a modification in the Windows registry to disable Windows error reporting settings. This analytic looks for a modification in the Windows registry to prevent users from running specific computer programs that could aid them in manually removing malware or detecting it using security products. This analytic looks for possible modification of Windows registry using regedit.exe application with silent mode parameter. ----- TTP Windows Remote Service RDPWinst Tool Execution(new) ### IOC filename: 5.xml [T1021.001](https://attack.mitre.org/techniques/T1021/001/) Lateral Movement This analytic identifies process of "RDPWInst.exe" tool which is a rdp wrapper library tool designed to enable remote desktop host support and concurrent rdp session on reduced functionality system. sha256: 9a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5 filename: cheat.exe sha256: b80857cd30e6ec64e470480aae3c90f513115163c74bb584fa27adf434075ab2 filename: clean.bat sha256: 1134b862f4d0ce10466742beb334c06c2386e85acad72725ddb1cecb1871b312 filename: db.rar sha256: 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432 filename: h.bat sha256: a33af2b70ad8fea8900b6bd31ac7b0aab8a2b8b79e3e27adafbd34bdfcb67549 filename: ink.exe sha256: 136590cb329a56375d6336b12878e18035412abf44c60bebdaa6c37840840040 filename: Install cheat 1_7.bin sha256: dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360 filename: P.exe sha256: 8215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b filename: R8.exe sha256: 40d4931bbb3234a2e399e2e3e0dcfe4b7b05362c58d549569f2888d5b210ebbd ----- filename: taskhost.exe sha256: 892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db filename: temp.bat sha256: ccf47d036ccfe0c8d0fe2854d14ca21d99be5fa11d0fbb16edcc1d6c10de3512 filename: wini.exe sha256: 9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce filename: winlog.exe sha256: 54eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724 filename: cheat_exe\P\1.exe sha256: 7f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2 filename: cheat_exe\R8\db.rar sha256: 534e0430f7e8883b352e7cba4fa666d2f574170915caa8601352d5285eee5432 filename: cheat_exe\R8\pause.bat sha256: 46565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba filename: cheat_exe\R8\Rar.exe sha256: 2356220cfa9159b463d762e2833f647a04fa58b4c627fcb4fb1773d199656ab8 filename: cheat_exe\R8\run.vbs sha256: c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe filename: cheat_exe\taskhost\opencl.dll sha256: 7cc0d32b00f4596bf0a193f9929e6c628bc1b9354678327f59db0bd516a0dd6b filename: cheat_exe\taskhost\taskhostw.exe sha256: 00cb457c1bf203fdb75da2cb0ba517d177ea5decc071f27f6a5ba3ee7d30da93 filename: cheat_exe\taskhost\taskhostw\winlogon.exe sha256: 870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375 filename: cheat_exe\winlog\winlogon.exe sha256: dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de ----- filename: wini_exe\install.bat sha256: e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a filename: wini_exe\install.vbs sha256: cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931 filename: wini_exe\reg1.reg sha256: 7ae7e4c0155f559f3c31be25d9e129672a88b445af5847746fe0a9aab3e79544 filename: wini_exe\reg2.reg sha256: 4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a filename: wini_exe\rfusclient.exe sha256: dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 filename: wini_exe\rutserv.exe sha256: 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 filename: wini_exe\vp8decoder.dll sha256: 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 filename: wini_exe\vp8encoder.dll sha256: 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 filename: wini_exe\winit.exe sha256: e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210 filename: wini_exe\winit\del.bat sha256: e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1 ## Learn More [You can find the latest content about security analytic stories on GitHub and in Splunkbase.](https://github.com/splunk/security-content/releases/tag/v3.12.0) Splunk Security Essentials also has all these detections available via push update. For a full list of security content, check out the [release notes on](https://docs.splunk.com/Documentation/ESSOC/3.21.0/RN/Enhancements) [Splunk Docs.](https://docs.splunk.com/Documentation/ESSOC) Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the [Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user](https://splunk-usergroups.slack.com/) groups on Slack. ----- _Credit to author Teoderick Contreras and collaborators Rod Soto, Jose Hernandez, Patrick Bareiss, Lou_ _Stella, Bhavin Patel, Michael Haag, Mauricio Velazco and Eric McGinnis._ Posted by **[Splunk Threat Research Team](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)** The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which [are stored as datasets in the Attack Data repository.](https://github.com/splunk/attack_data/) Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more. [Read more Splunk Security Content.](https://github.com/splunk/security_content) -----