Defense Evasion

Disabling Security Software

Look out for attempts to disable software like Defender, or to revert their signatures. Use keywords/sentences associated with the disabling of whatever security product you use (case in point "DisableRealTimeMonitoring" is part of the pshell command to disable WDefender) ;

host.name:WKSTN-* and ("DisableRealTimeMonitoring" or "RemoveDefinitions")

Don't forget to check out the PIDs of the parent processes, to make sure if those can't be correlated to artefacts found during the previous "Execution" step.

Log deletion attempts

Keep an eye out for the event ID 1102 (log deletion), and check out the surrounding events when you find one :

host.name: WKSTN-* AND winlog.event_id: 110

Execution via process injection

Process injection is a topic I've already covered on my personal blog (thanks to Sektor7's course), and I won't be re-doing it here. However, one can spot the use of specific functions associated with this technique, like CreateRemoteThread, by using the event ID 8, which is correlated to the creation of new threads by a process inside another process ;

host.hostname :WKSTN-* and winlog.event_id:8

It is up to the analyst to then figure what is unusual behaviour, by looking at which processes are creating threads inside others, and which user is responsible for it (should be SYSTEM in most normal cases)

PreviousExecution NextPersistence

Last updated 1 year ago