Adversaries employ numerous advanced evasion techniques to try to avoid detection by security systems and personnel. In this blog, we will look at common evasion techniques, and hunt for evasion in a Windows system using Gigasheet. Evasion techniques usually involve uninstalling or disabling security controls, or changing configurations in a system.
First we will look for any indicators of registry changes or modifications to disable the task manager of windows operating system. The Task Manager monitors the Windows system’s overall resource usage and detailed statistics about each process. If a user or analyst notices strange processes in Task Manager draining system resources, they're likely to kill it, so malware aims to avoid being detected here. This tactic is commonly seen in malware such as RATs, Trojans, or worms to prevent the user from terminating their process.
In Gigasheet, we've uploaded the raw Windows log files and look for the parameters that would disable the task manager. To detect for this evasion technique, we’ll look for any modifications to the registry path of our Windows logs:
"*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" and its value set to "DWORD (0x00000001)"
In clicking on the first resulting row we see the card view of this line and can determine that the machine involved is "win-dc-892.attackrange.local":
And using the process id in the log filter, we can narrow down further and identify the user involved. If you look closer, even the time matches in both the logs.
Another tactic employed by attackers to evade defenses is to disable remote user account control or Windows UAC. UAC presents notifications when you start programs or perform actions that require administrator rights on the computer. This often indicates that a program or action will change the system settings or files. In this case we’ll look for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).
In Gigasheet we’ll apply a filter to look for any changes to the registry path:
"*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA*" and its value set to "DWORD (0x00000000)"
Again, we can see the results by clicking on a row:
Here we look for modifications to of registry to disable run application in the Windows Start Menu. This evasion technique is used by malware to prevent users from easily running known applications from the Run shortcut. This is an attempt to make the infection harder to remove.
We'll look for any changes to the registry path: "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" and its value set to "DWORD (0x00000001)"
Performing a filter for the registry path and the value data using Gigasheet:
Disabling the Net User Account is a tactic that disables the current user, making the machine unavailable while adversaries control the host for malicious intent. This search looks for specific command line that uses "net.exe" to disable the user account.
The command line should have the strings "net user" and "/active:no"
After scrolling through the resulting rows after applying the filter, we noticed an instance of "C:\Windows\SysWOW64\cmd.exe" spawning "C:\Windows\SysWOW64\net.exe" which was identified disabling a user account "draken" on endpoint project-london-host by user PROJECT-LONDON-\Administrator.
This evasion technique is commonly seen in malware that tries to communicate or download its payload from a C2 server. Our filter looks for firewalls being disabled using netsh application.
The command line should have the strings "firewall" and "off" or "disable".
Using AND and OR filters easy to match the condition of your search using Gigasheet as below:
Here we can see Windows Firewall was disabled on win-dc-892.attackrange.local by ATTACKRANGE\Administrator.
These evasion techniques are commonly seen in RATs, Trojans or Worms to prevent triaging or deleting samples through CMD application. The CMD, or command prompt, is a handy tool for analysts to traverse on directory and files. This filter finds modification in registry to disable cmd prompt application.
Filter to any modifications to the registry path: "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" and its value set to "DWORD (0x00000001)"
Filter and results in Gigasheet:
This technique is commonly seen in RATs, bots, or Trojans to disable antivirus to evade detections. Microsoft describes the benefits of their Windows Defender endpoint solution as "real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities." Adversaries look to disable this to avoid detection. Here we build a filter that identifies a modification in registry to disable the Windows Defender real-time behavior monitoring.
Look for any modifications to the registry path: "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" or "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" or "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" or "*\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" or "*\\Real-Time Protection\\DisableIntrusionPreventionSystem" or "*\\Real-Time Protection\\DisableIOAVProtection" or "*\\Real-Time Protection\\DisableScriptScanning" and its value set to "DWORD (0x00000001)"
Gigasheet can take in as many filters as needed, as shown below:
Windows Defender real time behavior monitoring disabled on win-dc-892.attackrange.local
This defense evasion tactic is commonly used to disable applications like `taskmgr.exe` (Task Manager) and `cmd.exe` (the Command Prompt). This technique is used in an attempt to undermine the analyst's ability to analyze and evict the attacker from compromised systems. We'll build a filter that searches for modifications to disable Windows hotkey (shortcut keys) for native Windows applications.
Look for any modifications to the registry path: "\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" and its value set to "HotKey Disabled" and "Debugger"
The following screenshot shows that 'Windows App Hotkeys' on win-dc-763.attackrange.local
This technique has been observed on certain malware that drops hidden files on the infected machine. This looks to identify modification in the Windows registry that would prevent users from seeing all the files with hidden attributes.
Look for any modifications to the registry path: "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden", "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" and its value set to "DWORD (0x00000001)" or "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" and its value set to "DWORD (0x00000000)"
If your search contains multiple AND or OR statements. you give them in the order you need your search to be and Gigasheet processes them the exact same way:
The Registry tool is a powerful component of the Windows operating system. Adversaries disable this application to prevent the removal of their registry entry for persistence, fileless components and defense evasion. This filter to identifies modification of registry to disable the regedit or registry tools of the Windows operating system.
We search for any modifications to the registry path: "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" and its value set to "DWORD (0x00000001)"
This evasion technique has been seen in several ransomware packages. It disables the Windows event logging to evade triggering alerts and detections.
Our filter searches for execution of wevtutil.exe to disable logs.
So we look for the process "wevtutil.exe" running with the command line containing the strings "*sl*" and "*/e:false*"
The search shows that WevtUtil.exe used to disable event logging on win-dc-365.attackrange.local
If you've got massive Windows logs, Gigasheet makes it easy to hunt for these common security evasion techniques. Create your free account today, and test it out for yourself!