{
	"id": "fbbf15cb-3927-4574-b4a5-aa506928fe72",
	"created_at": "2026-04-06T01:30:16.431725Z",
	"updated_at": "2026-04-10T13:11:34.007151Z",
	"deleted_at": null,
	"sha1_hash": "db095f3f556d8268ac98721a7b00c204d3ef98ef",
	"title": "AppLocker Rules as Defense Evasion: Complete Analysis | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 15270242,
	"plain_text": "AppLocker Rules as Defense Evasion: Complete Analysis | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-08-25 · Archived: 2026-04-06 01:28:44 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nMicrosoft continues to develop, update and improve features to monitor and prevent the execution of malicious\r\ncode on the Windows opearting system. One of these features is AppLocker. This feature advances the\r\nfunctionality of software restriction policies and enables administrators to create rules to allow or deny\r\napplications from running based on their unique identities (e.g., files) and to specify which users or groups can run\r\nthose applications.\r\nAppLocker has the ability to control the execution of executables (“.exe” and “.com”), scripts (“.js”, “ps1”, “vbs”,\r\n“.cmd” and “.bat”), windows installer (“.msi, “.mst”, “.msp”), dll modules, packaged apps, and app installer.\r\nThis software restriction policy may be abused by adversaries, like the “Azorult loader,” a payload that imports its\r\nown AppLocker policy to deny the execution of several antivirus components as part of its defense evasion.\r\nIn this blog, the Splunk Threat Research Team will do a deep dive analysis on “Azorult loader” and its several\r\ncomponents to understand tactics and techniques that may help SOC analysts and blue teamers defend against\r\nthese types of threats.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 1 of 27\n\n(For a larger resolution of this diagram visit this link)\r\nAzorult Loader\r\nAzorult loader is a classic “Trojan Horse” that contains several components including the Azorult malware itself\r\nand additional embedded files to enable remote access and data collection. This loader is an autoit compiled\r\nexecutable that contains a self-extracting stream in its resource sections along with several files.\r\nDefense Evasion\r\nAzorult implements a hardcoded sandbox evasion checklist: It looks for specific usernames, files on the desktop,\r\nhostnames and processes running on the targeted host. If identified, it will exit. It will also terminate its execution\r\nif the OS version of the compromised host is “winxp”.\r\nIf the “msseces.exe” process is running, it will try to uninstall the “Microsoft Security Client” by using the\r\nwmic.exe command shown below.\r\nC:\\Windows\\System32\\wbem\\wmic.exe product where name=\"Microsoft Security Client\" call uninstall /nointeractive\r\nIt will also disable several registry keys related to the Windows Defender application feature and other AV\r\nproducts to evade their detections. Figures 1.1 and 1.2 shows screenshots of the autoit script code that modifies\r\nthose registry values.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 2 of 27\n\nFigure 1.1\r\nFigure 1.2\r\nIt will also try to stop, delete and even modify the configuration of some services as part of its execution and\r\ndisable antivirus products. Figure 2 shows the code list of those services.\r\nFigure 2\r\nIt will attempt to block SMB ports (445, 139 and update the firewall configuration to allow its dropped malicious\r\nfiles to perform network connections. Figure 3 shows the netsh command that modifies firewall rules.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 3 of 27\n\nFigure 3\r\nUsing the attrib and icacls Windows binaries, it will set the hidden attribute and a deny permission access on\r\nseveral AV product installation root folders like what we see in Figures 4 and 5.\r\nFigure 4\r\nFigure 5\r\nFirst Stage Drop Files\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 4 of 27\n\nThe loader will drop files as seen in Figure 6. The “temp.bat” is a cleanup batch file that will delete some of the\r\ndropped files and add a hidden attribute on the created directory C:\\Programdata\\Windows. The “clean.bat” is\r\nresponsible for killing malwarebytes “mbamservice.exe” process, stopping or deleting more services related to AV\r\nproducts and coin miners like “MinerGate”.\r\nFigure 6\r\nThe “H.bat” is responsible for blocking AV, coin miner and some GitHub websites by redirecting it to the local\r\nhost IP address of the compromised host by adding an entry to the “%SystemRoot%\\System32\\drivers\\etc\\hosts”.\r\nFigure 7 shows some of the url links it tries to block and how it adds the entry to the hosts file.\r\nFigure 7\r\nThe file “5.xml” is one of the most interesting parts of this malware. It contains AppLocker rules designed for\r\ndefense evasion. This paper will explore the topic further specifically when we break down the components that\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 5 of 27\n\ntry to import this rule. The “ink.exe” is the actual Azorult malware. Figure 8.1 shows the strings command used to\r\nparse the browser database to collect sensitive information like credentials.\r\nFigure 8.1\r\nFigure 8.2 shows how it parses and steals the telegram, skype, and bitcoin wallet information stored on the target\r\nhost and sends it to its C2 server.\r\nFigure 8.2\r\nDrop file - Wini.exe\r\nOne of the executables dropped is named wini.exe. This is a self extracting archive (sfx). An archive that has been\r\ncombined with an executable module, allowing Windows users to extract the archive's files without a\r\ndecompression program. Threat actors take advantage of this file type because it protects their malware with a\r\npassword, which helps it evade sandboxes or emulation without it.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 6 of 27\n\nFigure 9 shows how the password prompt when executed without the password.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 7 of 27\n\nFigure 9\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 8 of 27\n\nDigging into the loader autoit script, the code below is the actual command line and password that execute this sfx\r\nfile.\r\nRun(\"C:\\ProgramData\\Microsoft\\Intel\\wini.exe -pnaxui\")\r\nWini.exe will drop the RMS radmin tool name as “rfusclient.exe” and “rutserv.exe”. Then, to install this tool, it\r\nwill also drop “install.vbs'' that will execute another drop file “install.bat” that will disable Windows Defender\r\napplication, set the registries of the “Remote Manipulator System” (RMS) tool (“reg1.reg” and “reg2.reg”),\r\nexecute the RMS server rutserver.exe and configure its services.\r\nFigure 10 shows the registry written in reg1.reg files related to the RMS tool and Figure 11 which is the code of\r\ninstall.bat.\r\nFigure 10\r\nFigure 11\r\nIt will also drop another executable named “winit.exe”. This is an autoit compiled binary responsible for gathering\r\ninformation on the compromised host like what AV was installed, OS version, video adapter and much more. After\r\ncollecting the data, it will try to send it via SMTP or via email to a specific email and body format. It will also\r\nexecute “del.bat” which will delete itself.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 9 of 27\n\nFigures 12.1 and 12.2 show the code of this executable and how it builds the body of its email that will be sent to\r\na specific email address.\r\nFigure 12.1\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 10 of 27\n\nFigure 12.2 Drop file - Cheat.exe\r\nBoth cheat.exe and wini.exe are sfx files that are password protected with the password \"naxui\". One of its drop\r\nfiles is the “P.exe” that will drop and execute “1.exe” which is a copy of WebBrowserPassView.exe tool.\r\nWebBrowserPassView.exe is a Nirsoft tool for parsing credentials like passwords in browsers. The other drop file\r\nof cheat.exe is the “taskhost.exe” which will execute the “P.exe”, “R8.exe” and the “taskhostw.exe”. It will also\r\ninstall the “OpenCL.dll” component of Khronos OpenCl ICD loader that allows users to build applications against\r\nspecific OpenCL implementations.\r\nThe taskhost.exe will also create a scheduled task as a persistence mechanism for its drop file “taskhostw.exe” and\r\n“winlogon.exe”. taskhost.exe will also download files from a specific FTP server (109.248.203.81), save them as\r\nc:\\programdata\\windowstask\\temp.exe, decrypt them and execute it. Unfortunately, the FTP server is inaccessible\r\nas of writing.\r\nFigure 13 shows how it sets up the connection to the FTP client and tries to parse the credentials in several URL\r\nlinks.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 11 of 27\n\nFigure 13\r\nThe “winlogon.exe” is another autoit compiled file that looks for scheduled tasks containing “KMSAutoNet”,\r\n“KMS” and “KMSAuto”. Figure 14 shows how to list all the scheduled tasks using the “/query list” command and\r\nlook for it using regex.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 12 of 27\n\nFigure 14\r\nCheat.exe also drops another executable called “winlog.exe,” which then subsequently drops “winlogon.exe” in\r\nC:\\ProgramData\\Microsoft\\Intel. C:\\ProgramData\\Microsoft\\Intel\\winlogon.exe is a PowerShell script converted\r\nto an executable file that will execute a PowerShell command to import the AppLocker policy drop by the actual\r\nloader name as “5.xml”.\r\nFigure 15 shows the code snippet of the AppLocker rule policy that applies to deny actions on several antivirus\r\nproducts.\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 13 of 27\n\nFigure 15\r\nBelow is the powershell command it uses to import this AppLocker policy.\r\n“Import-Module applocker\" ; \"Set-AppLockerPolicy -XMLPolicy C:\\ProgramData\\microsoft\\Temp\\5.xml”\r\nThe XML is well formatted and as soon as we import it to the AppLocker rule set, as seen in Figure 16, the\r\nantivirus products that try to have a deny action policy are seen clearly.\r\nFigure 16\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 14 of 27\n\nAs mentioned by Grzegorz Tworek, Applocker cannot block nor log processes with NT AUTHORITY\\SERVICE\r\npresent in the token which most AV engines use for their prevention component. However, AV engines also\r\ninclude components that run with less privileges focused on alerting and notifying users about events identified by\r\nthe engine. Azorult would only prevent these components from running using its dropped Applocker policy.\r\nFinally, the last droped file is “R8.exe”, another SFX file, which will decompress “db.rar” that contains\r\n“install.vbs”, that will execute ”bat.bat” to create a hidden special user account name as “John”, enable RDP\r\nconnections, execute “RDPWinst.exe” that enables Remote Desktop Host support and concurrent RDP sessions on\r\nreduced functionality systems, create local group user, set non-expiring password using “net accounts\r\n/maxpwage:unlimited”, set hidden attribute and delete itself.\r\nFigure 17 shows the code snippet of bat.bat file.\r\nFigure 17\r\nDetections\r\nBelow are the existing and new (STRT) detections developed to detect tactics and techniques of this malware.\r\nWindows Applications Layer Protocol RMS Radmin Tool Namedpipe\r\nThis analytic identifies the use of default or publicly known named pipes used with RMX remote admin tool:\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 15 of 27\n\n`sysmon` EventCode IN (17, 18) EventType IN ( \"CreatePipe\", \"ConnectPipe\") PipeName IN (\"\\\\RManFUSServerNotify3\r\n | stats min(_time) as firstTime max(_time) as lastTime count by Image EventType ProcessId PipeName Computer U\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`\r\nWindows Gather Victim Network Info Through IP Check Web Services\r\nThis analytic identifies a process that tries to connect to known IP web services:\r\n`sysmon` EventCode=22 QueryName IN (\"*wtfismyip.com\", \"*checkip.amazonaws.com\", \"*ipecho.net\", \"*ipinfo.io\", \"\r\n \"*icanhazip.com\", \"*ip.anysrc.com\",\"*api.ip.sb\", \"ident.me\", \"www.myexternalip.com\", \"*zen.spamhaus.org\", \"*cb\r\n \"*dnsbl-1.uceprotect.net\", \"*spam.dnsbl.sorbs.net\", \"*iplogger.org*\", \"*ip-api.com*\")\r\n | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus Query\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_gather_victim_network_info_through_ip_check_web_services_filter`\r\nWindows Impair Defense Add XML AppLocker Rules\r\nThis analytic identifies a process that imports AppLocker XML rules using PowerShell commandlet:\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 16 of 27\n\n| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_tim\r\n where (Processes.process_name=pwsh.exe OR Processes.process_name=sqlps.exe OR Processes.process_name=sqltoolsp\r\n by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_impair_defense_add_xml_applocker_rules_filter`\r\nWindows Impair Defense Deny Security Software With AppLocker\r\nThis analytic identifies a modification in the Windows registry by the AppLocker application that contains details\r\nor registry data values related to denying the execution of several Security products:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where (Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Group Policy Objects\\\\*\" AND\r\n OR Registry.registry_path=\"*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\SrpV2*\"\r\n AND Registry.registry_value_data = \"*Action\\=\\\"Deny\\\"*\"\r\n AND Registry.registry_value_data IN(\"*O=SYMANTEC*\",\"*O=MCAFEE*\",\"*O=KASPERSKY*\",\"*O=BLEEPING COMPUTER*\", \"*O=P\r\n by Registry.user Registry.registry_path Registry.registry_value_data Registry.action Registry.registry_key_na\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_impair_defense_deny_security_software_with_applocker_filter`\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 17 of 27\n\nWindows Powershell Import AppLocker Policy\r\nThis analytic identifies a process that imports AppLocker XML rules using powershell commandlet:\r\n`powershell` EventCode=4104 ScriptBlockText=\"*Import-Module Applocker*\" ScriptBlockText=\"*Set-AppLockerPolicy *\r\n | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_powershell_import_applocker_policy_filter`\r\nWindows Remote Access Software RMS Registry\r\nThis analytic identifies a modification or creation of Windows registry related to Remote Manipulator System\r\n(RMS) Remote Admin tool:\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 18 of 27\n\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\SYSTEM\\\\Remote Manipulator System*\"\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_remote_access_software_rms_registry_filter`\r\nWindows Valid Account With Never Expires Password\r\nThis analytic identifies processes that update user account policies for password requirements with non-expiring\r\npassword:\r\n| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_tim\r\n where (Processes.process_name=\"net.exe\" OR Processes.original_file_name=\"net.exe\" OR Processes.process_name=\"n\r\n AND Processes.process=\"* accounts *\" AND Processes.process=\"* /maxpwage:unlimited\"\r\n by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_valid_account_with_never_expires_password_filter`\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 19 of 27\n\nWindows Modify Registry Disable Toast Notifications\r\nThis analytic detects a modification in the Windows registry to disable toast notifications:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnable\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_disable_toast_notifications_filter`\r\nWindows Modify Registry Disable Windows Security Center Notif\r\nThis analytic detects a modification in the Windows registry to disable Windows center notifications:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience*\" Registr\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 20 of 27\n\n| `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_disable_windows_security_center_notif_filter`\r\nWindows Modify Registry Suppress Win Defender Notif\r\nThis analytic detects a modification in the Windows registry to suppress Windows Defender notification:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\Windows Defender\\\\UX Configuration\\\\Notification_Suppress*\" Registry.registr\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_suppress_win_defender_notif_filter`\r\nWindows Remote Services Allow RDP in Firewall\r\nThis analytic detects a modification in the Windows firewall to enable remote desktop protocol on a targeted\r\nmachine:\r\n| tstats `security_content_summariesonly` values(Processes.process) as cmdline\r\n values(Processes.parent_process_name) as parent_process values(Processes.process_name)\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 21 of 27\n\ncount min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\r\n where (Processes.process_name = \"netsh.exe\" OR Processes.original_file_name= \"netsh.exe\") AND Processes.proces\r\n AND Processes.process = \"*localport=3389*\" AND Processes.process = \"*action=allow*\"\r\n by Processes.dest Processes.user Processes.parent_process Processes.process_name\r\n Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_remote_services_allow_rdp_in_firewall_filter`\r\nWindows Remote Services Allow Remote Assistance\r\nThis analytic identifies a modification in the Windows registry to enable remote desktop assistance on a targeted\r\nmachine:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp*\" Registry.registry_value_data=\"0x\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_remote_services_allow_remote_assistance_filter`\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 22 of 27\n\nWindows Remote Services RDP Enable\r\nThis analytic detects a modification in the Windows registry to enable remote desktop protocol on a targeted\r\nmachine:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_remote_services_rdp_enable_filter`\r\nWindows Service Stop by Deletion\r\nThis analytic identifies Windows Service Control, `sc.exe`, attempting to delete a service:\r\n| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_tim\r\n where (Processes.process_name = sc.exe OR Processes.original_file_name = sc.exe) Processes.process=\"* delete *\r\n Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id\r\n | `drop_dm_object_name(Processes)`\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 23 of 27\n\n| `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_service_stop_by_deletion_filter`\r\nWindows Modify Registry Disable Win Defender Raw Write Notif\r\nThis analytic detects a modification in the Windows registry to disable Windows Defender raw write notification\r\nfeature:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRawWriteNotification*\" Regist\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_disable_win_defender_raw_write_notif_filter`\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 24 of 27\n\nWindows Modify Registry Disabling WER Settings\r\nThis analytic identifies a modification in the Windows registry to disable Windows error reporting settings:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\disable*\" Registry.re\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_disabling_wer_settings_filter`\r\nWindows Modify Registry DisAllow Windows App\r\nThis analytic detects a modification in the Windows registry to prevent users running specific computer programs\r\nthat could aid them in manually removing malware or detecting it using security products:\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRu\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 25 of 27\n\n| `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_disallow_windows_app_filter`\r\nWindows Modify Registry Regedit Silent Reg Import\r\nThis analytic identifies possible modifications of Windows registry using regedit.exe application with silent mode\r\nparameter:\r\n| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_tim\r\n where (Processes.process_name=\"regedit.exe\" OR Processes.original_file_name=\"regedit.exe\")\r\n AND Processes.process=\"* /s *\" AND Processes.process=\"*.reg*\"\r\n by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_modify_registry_regedit_silent_reg_import_filter`\r\nWindows Remote Service RDPWinst Tool Execution\r\nThis analytic identifies the process of \"RDPWInst.exe\" tool which is a RDP wrapper library tool designed to\r\nenable remote desktop host support and concurrent RDP session on reduced functionality:\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 26 of 27\n\n| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_tim\r\n where (Processes.process_name=\"RDPWInst.exe\" OR Processes.original_file_name=\"RDPWInst.exe\")\r\n AND Processes.process IN (\"* -i*\", \"* -s*\", \"* -o*\", \"* -w*\", \"* -r*\")\r\n by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\n | `windows_remote_service_rdpwinst_tool_execution_filter`\r\nLearn More\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nCredit to author Teoderick Contreras and collaborators Rod Soto, Jose Hernandez, Patrick Bareiss, Lou Stella,\r\nBhavin Patel, Michael Haag, Mauricio Velazco and Eric McGinnis.\r\nSource: https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nhttps://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html"
	],
	"report_names": [
		"-applocker-rules-as-defense-evasion-complete-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439016,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db095f3f556d8268ac98721a7b00c204d3ef98ef.pdf",
		"text": "https://archive.orkl.eu/db095f3f556d8268ac98721a7b00c204d3ef98ef.txt",
		"img": "https://archive.orkl.eu/db095f3f556d8268ac98721a7b00c204d3ef98ef.jpg"
	}
}