{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/applocker/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Azorult"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["applocker","powershell","defense-evasion","endpoint"],"_cs_type":"threat","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat brief outlines the detection of malicious PowerShell activity involving the import of AppLocker policies. Attackers may use AppLocker to enforce restrictive policies on compromised systems, which can lead to the disabling of security products like antivirus software, as observed with the Azorult malware. The activity is detected through PowerShell Script Block Logging, specifically EventCode 4104, which captures and analyzes script block text for the use of \u0026ldquo;Import-Module Applocker\u0026rdquo; and \u0026ldquo;Set-AppLockerPolicy\u0026rdquo; commands with an XML policy file. Detecting this activity early is crucial to prevent attackers from establishing persistence and further compromising the system by bypassing security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script to import the AppLocker module using \u003ccode\u003eImport-Module Applocker\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script then uses \u003ccode\u003eSet-AppLockerPolicy\u003c/code\u003e to apply a new AppLocker policy.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e-XMLPolicy\u003c/code\u003e parameter is used to specify an XML file containing the malicious AppLocker rules.\u003c/li\u003e\n\u003cli\u003eThe new AppLocker policy restricts the execution of legitimate applications, including antivirus software.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by ensuring the malicious AppLocker policy is applied at system startup.\u003c/li\u003e\n\u003cli\u003eWith security controls disabled, the attacker deploys and executes additional malware or performs lateral movement.\u003c/li\u003e\n\u003cli\u003eThe final objective is data exfiltration or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete bypass of endpoint security controls, leaving systems vulnerable to malware infections and data breaches. This can result in significant financial losses, reputational damage, and legal liabilities. If security software is disabled on a large number of endpoints, the impact is organization-wide.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (EventCode 4104) on all endpoints to capture the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AppLocker Policy Import via PowerShell\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eScriptBlockText\u003c/code\u003e and the source of the PowerShell execution.\u003c/li\u003e\n\u003cli\u003eImplement strict AppLocker policies to prevent unauthorized applications from running.\u003c/li\u003e\n\u003cli\u003eMonitor endpoints for unexpected changes to AppLocker policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:23:00Z","date_published":"2024-01-03T18:23:00Z","id":"/briefs/2024-01-powershell-applocker-policy-import/","summary":"Detection of PowerShell commands to import AppLocker policy via Import-Module Applocker and Set-AppLockerPolicy, potentially used to enforce restrictive policies or disable security products like antivirus.","title":"Detect PowerShell AppLocker Policy Import Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-powershell-applocker-policy-import/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["applocker","defense-evasion","powershell"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief focuses on detecting the suspicious use of PowerShell to import AppLocker XML policies. Attackers may leverage this technique to impair defenses by modifying AppLocker policies to allow malicious executables or scripts to run, bypassing existing security measures. The observed behavior involves the use of \u0026ldquo;Import-Module Applocker\u0026rdquo; and \u0026ldquo;Set-AppLockerPolicy\u0026rdquo; commands combined with the \u0026ldquo;-XMLPolicy\u0026rdquo; parameter. This activity has been linked to malware such as Azorult, where adversaries attempt to weaken endpoint security to facilitate further compromise. Defenders should prioritize monitoring for this behavior, as successful manipulation of AppLocker policies can lead to significant security breaches and persistent access for malicious actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (details of initial access are not provided in the source).\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker imports the AppLocker module using \u003ccode\u003eImport-Module Applocker\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eSet-AppLockerPolicy\u003c/code\u003e cmdlet with the \u003ccode\u003e-XMLPolicy\u003c/code\u003e parameter to specify a path to a malicious AppLocker XML policy file.\u003c/li\u003e\n\u003cli\u003eThe malicious AppLocker policy is applied, potentially whitelisting attacker-controlled files or paths.\u003c/li\u003e\n\u003cli\u003eThe attacker executes previously blocked malicious code, leveraging the modified AppLocker policy.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence and further compromises the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack allows adversaries to impair endpoint defenses by modifying AppLocker policies. This can lead to the execution of malware that would otherwise be blocked. The observed behavior has been linked to the Azorult malware family. The compromise of endpoint security can allow for persistence, data exfiltration, and further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect AppLocker Policy Import via PowerShell\u003c/code\u003e to your SIEM to detect suspicious AppLocker policy modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 and Windows Event Log Security 4688 to provide the necessary process creation and command-line auditing for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003eImport-Module Applocker\u003c/code\u003e and \u003ccode\u003eSet-AppLockerPolicy\u003c/code\u003e are used together, especially when the \u003ccode\u003e-XMLPolicy\u003c/code\u003e parameter is present.\u003c/li\u003e\n\u003cli\u003eReview existing AppLocker policies for unexpected or unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-applocker-xml-import/","summary":"Detection of PowerShell commands used to import AppLocker XML policies, potentially indicating an attempt to bypass security controls, as observed with Azorult malware.","title":"Suspicious AppLocker XML Policy Import via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-applocker-xml-import/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["applocker","defense-evasion","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Symantec","McAfee","Kaspersky","Panda Security","SysTweak Software","Trend Micro","Avast","Gridinsoft","Microsoft","NANO Security","SUPERAntiSpyware.com","Doctor Web","Malwarebytes","ESET","Avira","Webroot","Splunk"],"content_html":"\u003cp\u003eAttackers can leverage AppLocker to modify the Windows registry to deny the execution of security products, effectively impairing defenses. This technique involves manipulating registry keys and values associated with AppLocker policies to block specific antivirus and security software. This activity is often associated with malware such as Azorult, which attempts to disable or bypass security measures. By successfully blocking security software, attackers can facilitate further malicious activities, such as malware installation, data exfiltration, and persistence within the compromised environment. Defenders should monitor for unusual AppLocker registry modifications that target known security product vendors to identify potential attempts to disable defenses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker elevates privileges to gain administrative access, required to modify AppLocker policies.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the registry keys associated with AppLocker policies, specifically targeting the Software Restriction Policies (SRP) to deny execution of security software.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eregistry_value_data\u003c/code\u003e within \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\\u003c/code\u003e to include Action=\u0026ldquo;Deny\u0026rdquo; for targeted security vendors like Symantec, McAfee, or Kaspersky.\u003c/li\u003e\n\u003cli\u003eAppLocker policies are updated based on the modified registry settings.\u003c/li\u003e\n\u003cli\u003eThe targeted security software is prevented from executing, effectively disabling or impairing its functionality.\u003c/li\u003e\n\u003cli\u003eAttacker proceeds to install malware, exfiltrate data, or establish persistence without interference from the disabled security software.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a significant degradation of the security posture of the affected system. By disabling or impairing security software, attackers can bypass critical defenses and gain unfettered access to sensitive data and systems. This can lead to data breaches, financial losses, reputational damage, and disruption of business operations. The Azorult malware has been observed using this technique to disable security products.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to monitor registry modifications and activate the provided Sigma rules (process_creation and registry_set).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect AppLocker registry modifications targeting security software vendors and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to identify potentially malicious activity, correlating with other endpoint telemetry.\u003c/li\u003e\n\u003cli\u003eReview and audit AppLocker policies to ensure they are configured correctly and not being used to block legitimate security software.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-applocker-security-software-deny/","summary":"Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.","title":"AppLocker Registry Modification to Deny Security Software Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-applocker-security-software-deny/"}],"language":"en","title":"CraftedSignal Threat Feed — Applocker","version":"https://jsonfeed.org/version/1.1"}