detection.wiki

Detection rules › Splunk

Windows Impair Defense Deny Security Software With Applocker

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects modifications in the Windows registry by the Applocker utility that deny the execution of various security products. This detection leverages data from the Endpoint.Registry datamodel, focusing on specific registry paths and values indicating a "Deny" action against known antivirus and security software. This activity is significant as it may indicate an attempt to disable security defenses, a tactic observed in malware like Azorult. If confirmed malicious, this could allow attackers to bypass security measures, facilitating further malicious activities and persistence within the environment.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: tstats

tstats WHERE ((Registry.registry_path="*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\*" Registry.registry_path="*}Machine\\Software\\Policies\\Microsoft\\Windows\\SrpV2*") OR Registry.registry_path="*\\Software\\Policies\\Microsoft\\Windows\\SrpV2*") Registry.registry_value_data="*Action\=\"Deny\"*" Registry.registry_value_data IN ("*O=AVAST*", "*O=AVIRA*", "*O=BLEEPING COMPUTER*", "*O=DOCTOR WEB*", "*O=ESET*", "*O=GRIDINSOFT*", "*O=KASPERSKY*", "*O=MALWAREBYTES*", "*O=MCAFEE*", "*O=MICROSOFT*", "*O=NANO SECURITY*", "*O=PANDA SECURITY*", "*O=SUPERANTISPYWARE.COM*", "*O=SYMANTEC*", "*O=SYSTWEAK SOFTWARE*", "*O=TREND MICRO*", "*O=WEBROOT*") BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product

Stage 2: search

search

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Registry.registry_patheq
  • "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects\\*"
  • "*\\Software\\Policies\\Microsoft\\Windows\\SrpV2*"
  • "*}Machine\\Software\\Policies\\Microsoft\\Windows\\SrpV2*"
Registry.registry_value_dataeq
  • "*Action\=\"Deny\"*"
Registry.registry_value_datain
  • "*O=AVAST*"
  • "*O=AVIRA*"
  • "*O=BLEEPING COMPUTER*"
  • "*O=DOCTOR WEB*"
  • "*O=ESET*"
  • "*O=GRIDINSOFT*"
  • "*O=KASPERSKY*"
  • "*O=MALWAREBYTES*"
  • "*O=MCAFEE*"
  • "*O=MICROSOFT*"
  • "*O=NANO SECURITY*"
  • "*O=PANDA SECURITY*"
  • "*O=SUPERANTISPYWARE.COM*"
  • "*O=SYMANTEC*"
  • "*O=SYSTWEAK SOFTWARE*"
  • "*O=TREND MICRO*"
  • "*O=WEBROOT*"