Detecting Security Evasion Techniques
Adversaries employ numerous advanced evasion techniques to try to avoid detection by security systems and personnel. In this blog, we will look at common evasion techniques, and hunt for evasion in a Windows system using Gigasheet. Evasion techniques usually involve uninstalling or disabling security controls, or changing configurations in a system.
Evasion Technique: Disabling Task Manager
First we will look for any indicators of registry changes or modifications to disable the task manager of windows operating system. The Task Manager monitors the Windows system’s overall resource usage and detailed statistics about each process. If a user or analyst notices strange processes in Task Manager draining system resources, they're likely to kill it, so malware aims to avoid being detected here. This tactic is commonly seen in malware such as RATs, Trojans, or worms to prevent the user from terminating their process.
In Gigasheet, we've uploaded the raw Windows log files and look for the parameters that would disable the task manager. To detect for this evasion technique, we’ll look for any modifications to the registry path of our Windows logs:
"*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" and its value set to "DWORD (0x00000001)"
In clicking on the first resulting row we see the card view of this line and can determine that the machine involved is "win-dc-892.attackrange.local":
And using the process id in the log filter, we can narrow down further and identify the user involved. If you look closer, even the time matches in both the logs.
Evasion Technique: Disabling Remote User Account Control
Another tactic employed by attackers to evade defenses is to disable remote user account control or Windows UAC. UAC presents notifications when you start programs or perform actions that require administrator rights on the computer. This often indicates that a program or action will change the system settings or files. In this case we’ll look for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).
In Gigasheet we’ll apply a filter to look for any changes to the registry path:
"*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA*" and its value set to "DWORD (0x00000000)"
Again, we can see the results by clicking on a row:
Evasion Technique: Disabling NoRun Windows App
Here we look for modifications to of registry to disable run application in the Windows Start Menu. This evasion technique is used by malware to prevent users from easily running known applications from the Run shortcut. This is an attempt to make the infection harder to remove.
We'll look for any changes to the registry path: "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" and its value set to "DWORD (0x00000001)"
Performing a filter for the registry path and the value data using Gigasheet:
Evasion Technique: Disabling Net User Account
Disabling the Net User Account is a tactic that disables the current user, making the machine unavailable while adversaries control the host for malicious intent. This search looks for specific command line that uses "net.exe" to disable the user account.
The command line should have the strings "net user" and "/active:no"
After scrolling through the resulting rows after applying the filter, we noticed an instance of "C:\Windows\SysWOW64\cmd.exe" spawning "C:\Windows\SysWOW64\net.exe" which was identified disabling a user account "draken" on endpoint project-london-host by user PROJECT-LONDON-\Administrator.
Evasion Technique: Disabling Firewalls with Netsh
This evasion technique is commonly seen in malware that tries to communicate or download its payload from a C2 server. Our filter looks for firewalls being disabled using netsh application.
The command line should have the strings "firewall" and "off" or "disable".
Using AND and OR filters easy to match the condition of your search using Gigasheet as below:
Here we can see Windows Firewall was disabled on win-dc-892.attackrange.local by ATTACKRANGE\Administrator.
Evasion Technique: Disabling CMD
These evasion techniques are commonly seen in RATs, Trojans or Worms to prevent triaging or deleting samples through CMD application. The CMD, or command prompt, is a handy tool for analysts to traverse on directory and files. This filter finds modification in registry to disable cmd prompt application.
Filter to any modifications to the registry path: "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" and its value set to "DWORD (0x00000001)"
Filter and results in Gigasheet:
Evasion Technique: Disable Windows Behavior Monitoring
This technique is commonly seen in RATs, bots, or Trojans to disable antivirus to evade detections. Microsoft describes the benefits of their Windows Defender endpoint solution as "real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities." Adversaries look to disable this to avoid detection. Here we build a filter that identifies a modification in registry to disable the Windows Defender real-time behavior monitoring.
Look for any modifications to the registry path: "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" or "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" or "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" or "*\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" or "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" or "*\\Real-Time Protection\\DisableIOAVProtection" or "*\\Real-Time Protection\\DisableScriptScanning" and its value set to "DWORD (0x00000001)"
Gigasheet can take in as many filters as needed, as shown below:
Windows Defender real time behavior monitoring disabled on win-dc-892.attackrange.local
Evasion Technique: Disable Windows App Hotkeys
This defense evasion tactic is commonly used to disable applications like `taskmgr.exe` (Task Manager) and `cmd.exe` (the Command Prompt). This technique is used in an attempt to undermine the analyst's ability to analyze and evict the attacker from compromised systems. We'll build a filter that searches for modifications to disable Windows hotkey (shortcut keys) for native Windows applications.
Look for any modifications to the registry path: "\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" and its value set to "HotKey Disabled" and "Debugger"
The following screenshot shows that 'Windows App Hotkeys' on win-dc-763.attackrange.local