{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-defender/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Security Agent"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","registry modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro"],"content_html":"\u003cp\u003eAttackers commonly disable Windows Defender to evade detection and facilitate malicious activities. This involves modifying specific registry settings to either disable the service entirely or prevent it from starting automatically. The rule specifically identifies modifications to the \u003ccode\u003eDisableAntiSpyware\u003c/code\u003e and \u003ccode\u003eWinDefend\\\\Start\u003c/code\u003e registry keys. The DFIR Report has documented this technique in real-world incidents, highlighting its effectiveness in bypassing built-in security measures. This allows threat actors to operate with reduced risk of detection, enabling them to deploy malware, exfiltrate data, or perform other malicious actions without immediate interference from the endpoint security solution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to obtain the necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\u003c/code\u003e registry key to disable Windows Defender, setting its value to \u0026ldquo;1\u0026rdquo; or \u0026ldquo;0x00000001\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u003ccode\u003eHKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\u003c/code\u003e registry key to prevent the Windows Defender service from starting automatically. The attacker sets the value to \u0026ldquo;3\u0026rdquo; or \u0026ldquo;4\u0026rdquo; (or their hexadecimal equivalents \u0026ldquo;0x00000003\u0026rdquo;, \u0026ldquo;0x00000004\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker verifies that Windows Defender is disabled by checking the Security Center or attempting to run a scan.\u003c/li\u003e\n\u003cli\u003eWith Windows Defender disabled, the attacker proceeds to deploy malware or execute malicious commands without interference from the antivirus software.\u003c/li\u003e\n\u003cli\u003eThe attacker may further disable security settings and block security-related indicators.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, this attack can lead to a complete compromise of the affected system. With Windows Defender disabled, the system becomes vulnerable to malware infections, data exfiltration, and other malicious activities. This can result in financial losses, data breaches, and reputational damage for the targeted organization. The lack of immediate detection allows attackers to establish persistence and expand their foothold within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Registry Modification to Disable Windows Defender\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized changes to Windows Defender registry settings.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\u003c/code\u003e and \u003ccode\u003eHKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\u003c/code\u003e registry keys using the provided log sources.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process and user account responsible for the registry modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-defender-registry-disable/","summary":"Attackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.","title":"Windows Defender Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-registry-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers commonly attempt to disable or weaken Windows Defender to evade detection and facilitate malicious activities. This involves using PowerShell commands like \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e to modify Defender\u0026rsquo;s configuration. Adversaries may also utilize base64 encoding to obfuscate these commands, bypassing simple command-line inspection. This activity typically occurs post-compromise, as part of a broader attack chain, and allows for the deployment of malware or other malicious tools without interference from the built-in antivirus. Detection of these techniques is crucial for maintaining the integrity of the system and preventing further damage. The scope of this threat includes any Windows environment where PowerShell is enabled and Windows Defender is used as the primary antivirus solution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an existing compromise (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges if necessary.\u003c/li\u003e\n\u003cli\u003ePowerShell is launched, either directly or through a parent process like \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e with parameters like \u003ccode\u003e-DisableRealtimeMonitoring\u003c/code\u003e, \u003ccode\u003e-DisableIOAVProtection\u003c/code\u003e, \u003ccode\u003e-DisableBehaviorMonitoring\u003c/code\u003e, or \u003ccode\u003e-DisableBlockAtFirstSeen\u003c/code\u003e to weaken Defender.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a base64-encoded PowerShell command that performs the same actions.\u003c/li\u003e\n\u003cli\u003eThe encoded command is executed using the \u003ccode\u003e-EncodedCommand\u003c/code\u003e or \u003ccode\u003e-enc\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eWindows Defender\u0026rsquo;s security settings are modified, reducing its effectiveness.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with deploying malware, exfiltrating data, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these commands results in a weakened or disabled Windows Defender, leaving the system vulnerable to malware infections and other threats. This can lead to data breaches, system compromise, and financial loss. The impact is especially significant in environments where Windows Defender is the primary security solution. While the number of victims is unknown, the technique is widely applicable across Windows environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for PowerShell executions (\u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e) with command-line arguments related to disabling Windows Defender using the Sigma rule \u0026ldquo;Detect Suspicious PowerShell Encoded Commands\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the full content of executed scripts, which can reveal base64-encoded commands (reference: references - \u003ca href=\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps)\"\u003ehttps://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disabling Windows Defender Security Settings via PowerShell\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e commands with arguments disabling real-time monitoring, IOAV protection, behavior monitoring, or block-at-first-seen features.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-disable-defender-powershell/","summary":"Attackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.","title":"Disabling Windows Defender Security Settings via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-09-disable-defender-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MsMpEng.exe","Windows Defender","TeamViewer","SentinelOne Cloud Funnel","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["remotemonologue","defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","TeamViewer","SentinelOne"],"content_html":"\u003cp\u003eThe RemoteMonologue attack technique abuses Component Object Model (COM) objects to coerce authentication from a remote system. This is achieved by modifying the \u003ccode\u003eRunAs\u003c/code\u003e registry value associated with a COM object. Setting this value to \u0026ldquo;Interactive User\u0026rdquo; forces the COM object to run under the context of the interactive user, enabling attackers to hijack sessions and potentially escalate privileges. This technique is often used as a defense evasion or persistence mechanism by adversaries after gaining initial access to a system. The attack involves modifying registry keys associated with COM objects to trigger NTLM authentication coercion. This can be used for lateral movement and gaining access to sensitive resources. This rule is designed to detect registry modifications indicative of the RemoteMonologue attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eIdentify COM Objects: The attacker identifies suitable COM objects for abuse.\u003c/li\u003e\n\u003cli\u003eModify Registry: The attacker modifies the registry to set the \u003ccode\u003eRunAs\u003c/code\u003e value for the selected COM object to \u003ccode\u003eInteractive User\u003c/code\u003e. This involves modifying the registry path \u003ccode\u003eHKCR\\AppID\\{Clsid}\\RunAs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eTrigger COM Object Execution: The attacker triggers the execution of the modified COM object, potentially through a remote procedure call or other inter-process communication mechanisms.\u003c/li\u003e\n\u003cli\u003eAuthentication Coercion: The execution of the COM object triggers NTLM authentication to a system controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eRelay Attack: The attacker relays the coerced NTLM authentication to gain access to other resources on the network.\u003c/li\u003e\n\u003cli\u003eSession Hijacking: Successful relay leads to session hijacking, allowing the attacker to impersonate the user.\u003c/li\u003e\n\u003cli\u003eLateral Movement/Privilege Escalation: The attacker uses the hijacked session for lateral movement or privilege escalation within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful RemoteMonologue attack can lead to unauthorized access to sensitive systems and data. By coercing authentication and hijacking sessions, attackers can bypass security controls and escalate their privileges within the network. The scope of the impact depends on the privileges of the hijacked user account and the resources accessible to that account. This attack can enable lateral movement, data exfiltration, and other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect RemoteMonologue Registry Modification\u003c/code\u003e to your SIEM to identify suspicious registry modifications related to COM object hijacking.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the registry event logs and identifying the user account and process responsible for the registry modification.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring on critical systems to detect any attempts to modify COM object registry settings.\u003c/li\u003e\n\u003cli\u003eBlock the attack by ensuring \u0026ldquo;RunAs\u0026rdquo; value is not set to \u0026ldquo;Interactive User\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remotemonologue-regmod/","summary":"This rule detects potential RemoteMonologue attacks by identifying attempts to perform session hijacking via COM object registry modification, specifically when the RunAs value is set to Interactive User.","title":"Potential RemoteMonologue Attack via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-remotemonologue-regmod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Antimalware Service Executable","Windows Defender","Microsoft Security Client","Elastic Defend","CrowdStrike Falcon","Microsoft Defender XDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances. Attackers may attempt to evade defenses through DLL side-loading or by masquerading as the antimalware process. This technique is used to blend in with legitimate system activity and avoid detection by security tools. This rule is designed to detect instances where MsMpEng.exe is executed from unexpected locations or has been renamed, potentially indicating malicious activity. The rule leverages process monitoring data to identify deviations from the expected execution patterns of the antimalware service. This behavior has been seen associated with ransomware attacks, such as REvil.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious payload onto the system, placing it in a non-standard directory, such as a temporary folder or a user\u0026rsquo;s profile directory.\u003c/li\u003e\n\u003cli\u003eThe attacker renames or copies the legitimate MsMpEng.exe to the malicious payload\u0026rsquo;s location.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed or copied MsMpEng.exe from the non-standard location. This is intended to mimic legitimate activity and evade detection.\u003c/li\u003e\n\u003cli\u003eThe malicious MsMpEng.exe then loads a malicious DLL through DLL side-loading, which executes arbitrary code within the context of the antimalware process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as disabling security controls, escalating privileges, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, including the disabling of security controls, data theft, and ransomware deployment. This can result in significant financial losses, reputational damage, and disruption of business operations. Identifying and responding to this type of attack is critical to prevent further damage. The Sophos article references the REvil ransomware attack which impacted hundreds of businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture process execution events, including image path and command-line arguments, which are essential for detecting this behavior.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious MsMpEng.exe execution from unusual paths or renamed instances.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the MsMpEng.exe execution and identify any potential malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances where the process name is \u0026ldquo;MsMpEng.exe\u0026rdquo; but the executable path is outside the standard Windows Defender or Microsoft Security Client directories.\u003c/li\u003e\n\u003cli\u003eReview the references provided for additional context and guidance on investigating this type of activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-windefend-unusual-path/","summary":"Detects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.","title":"Suspicious Microsoft Antimalware Service Executable Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-windefend-unusual-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Cisco AnyConnect Secure Mobility Client","Cisco Secure Client","Oracle Database"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lsass","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cisco","Oracle"],"content_html":"\u003cp\u003eThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for enforcing security policies and handling user authentication. Attackers often target LSASS to extract credentials, enabling unauthorized access and privilege escalation. This detection rule identifies suspicious access attempts to LSASS memory, which may indicate credential dumping activities. It filters out common legitimate processes and access patterns to highlight anomalous behaviors associated with credential theft. The rule is designed to detect unauthorized access attempts by monitoring process access events and filtering out known benign processes that interact with LSASS. It helps defenders identify potential credential access attempts before they lead to significant compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious process or script on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to gain a handle to the LSASS process.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s tool requests specific access rights to LSASS, such as \u003ccode\u003eReadProcessMemory\u003c/code\u003e (0x0010) or \u003ccode\u003ePROCESS_QUERY_INFORMATION\u003c/code\u003e (0x0400), which are necessary for memory dumping.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s process bypasses or disables endpoint detection and response (EDR) solutions to avoid detection.\u003c/li\u003e\n\u003cli\u003eThe tool dumps the LSASS memory, extracting sensitive information like usernames, passwords, and Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally within the network, accessing other systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful LSASS memory dump can lead to the compromise of domain credentials, allowing attackers to move laterally within the network and gain access to sensitive data and systems. This can result in data breaches, financial loss, and reputational damage. Organizations across all sectors are vulnerable, particularly those with weak credential management practices. A single compromised account can lead to widespread damage, potentially affecting thousands of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process access event logging (Event ID 10) as described in the setup instructions linked in the rule to collect the necessary data.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Lsass Process Access\u0026rdquo; to your SIEM and tune the exclusions based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eReview and harden privileged account management practices to limit the impact of credential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual process creation events, especially those spawning from unexpected locations, to identify potential initial access points.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for vulnerabilities and apply patches to prevent exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-lsass-access/","summary":"This rule identifies suspicious access attempts to the LSASS process, potentially indicating credential dumping attempts by filtering out legitimate processes and access patterns to focus on anomalies.","title":"Suspicious LSASS Process Access","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-lsass-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","ingress-tool-transfer","windows","mpcmdrun"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are leveraging the built-in Windows Defender command-line utility, \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e, to download files from remote locations. This technique allows attackers to bypass traditional download restrictions and blend in with legitimate system activity. The \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e utility is normally used to manage Windows Defender settings and perform tasks such as signature updates and scans. However, its \u003ccode\u003e-DownloadFile\u003c/code\u003e parameter can be abused to download arbitrary files from a specified URL. This activity was first publicly reported around September 2020. Defenders should monitor for unusual usage patterns of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e, especially those involving command-line arguments related to file downloads from external sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a target system through an unrelated vulnerability or existing compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e to download a file from a remote server. The command includes arguments like \u003ccode\u003e-DownloadFile\u003c/code\u003e, \u003ccode\u003e-url\u003c/code\u003e, and \u003ccode\u003e-path\u003c/code\u003e to specify the download location and save path.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to a location on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the downloaded file. This could be a malicious executable, a script, or a configuration file.\u003c/li\u003e\n\u003cli\u003eThe executed file performs further malicious actions on the system, such as establishing persistence, escalating privileges, or deploying additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a foothold to move laterally within the network, compromising other systems and resources.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their ultimate objective, such as data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to introduce arbitrary malicious code into the system, potentially leading to a wide range of adverse effects, including data theft, system compromise, and disruption of operations. While individual cases may be limited in scope, widespread exploitation could impact numerous organizations, resulting in significant financial losses and reputational damage. The use of a trusted system utility makes this technique harder to detect using traditional methods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMpCmdRun Remote File Download\u003c/code\u003e to your SIEM to detect the malicious use of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e for downloading files.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function.\u003c/li\u003e\n\u003cli\u003eReview historical process execution logs for instances of \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e being used with the \u003ccode\u003e-DownloadFile\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables downloaded by \u003ccode\u003eMpCmdRun.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-mpcmdrun-remote-file-copy/","summary":"Attackers are abusing the Windows Defender MpCmdRun.exe utility to download remote files, potentially delivering malware or offensive tools into compromised systems.","title":"MpCmdRun.exe Used for Remote File Download","url":"https://feed.craftedsignal.io/briefs/2024-01-03-mpcmdrun-remote-file-copy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently attempt to disable or weaken Windows Defender to facilitate the execution of malware and other malicious activities. This is often achieved through the use of PowerShell commands like \u003ccode\u003eSet-MpPreference\u003c/code\u003e and \u003ccode\u003eAdd-MpPreference\u003c/code\u003e, which can modify various Defender settings. To evade detection, adversaries may encode these commands using Base64, making it more difficult for traditional command-line inspection techniques to identify the malicious intent. This activity is a common tactic in post-exploitation scenarios, allowing attackers to operate with reduced risk of being detected by the built-in antivirus solution. Detection of this behavior is critical for identifying and responding to potential intrusions. The Elastic detection rule aims to catch both standard and encoded PowerShell commands used for this purpose.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions to modify Windows Defender settings.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003epowershell.exe\u003c/code\u003e process to execute commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e to disable real-time monitoring.\u003c/li\u003e\n\u003cli\u003eThe attacker may use Base64 encoding (e.g., using the \u003ccode\u003e-EncodedCommand\u003c/code\u003e parameter) to obfuscate the PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe encoded command is executed, modifying Windows Defender settings.\u003c/li\u003e\n\u003cli\u003eWindows Defender\u0026rsquo;s real-time monitoring is disabled, allowing the attacker to execute malicious payloads without immediate detection.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with their objectives, such as deploying ransomware or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of Windows Defender can lead to a significant increase in the risk of malware infection and data breach. With real-time protection disabled, the system becomes vulnerable to various threats, including ransomware, Trojans, and other malicious software. This can result in data loss, system compromise, and potential financial damages. The impact can be severe, especially if the compromised system handles sensitive information or is critical to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Disabling Windows Defender Security Settings via PowerShell\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to gain better visibility into the commands being executed (referenced in Sysmon setup instructions).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for PowerShell processes executing commands with \u003ccode\u003e-EncodedCommand\u003c/code\u003e or containing specific Base64 encoded strings to detect obfuscated attempts to disable Windows Defender.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eSet-MpPreference\u003c/code\u003e or \u003ccode\u003eAdd-MpPreference\u003c/code\u003e being used, especially if accompanied by unusual parent processes or command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-disable-defender-powershell/","summary":"Attackers use PowerShell commands like Set-MpPreference or Add-MpPreference, often with base64 encoding, to disable or weaken Windows Defender security settings in order to evade detection and execute malicious payloads.","title":"Disabling Windows Defender Security Settings via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-02-disable-defender-powershell/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Defender","version":"https://jsonfeed.org/version/1.1"}