https://feed.craftedsignal.io/tags/exclusion/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-defender-exclusion-registry-modification/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-defender-exclusion-registry-modification/Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.Attackers frequently attempt to disable or bypass Windows Defender to execute malware undetected. This is often achieved by modifying the Windows Defender exclusion registry entries. By adding exclusions, attackers can prevent Windows Defender from scanning specific files, folders, or processes. This technique allows malware to operate freely, potentially leading to system compromise. The reported activity focuses on modifications to the registry path “\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\”, which is a common target for threat actors. This technique can be observed across various malware families, including Remcos RAT, Qakbot, and XWorm, as well as in NetSupport RMM Tool Abuse scenarios, highlighting its versatility and effectiveness in defense evasion. Detecting and preventing these modifications is crucial for maintaining endpoint security.

Attack Chain

1. Initial access is gained through various methods (not specified in source).
2. The attacker elevates privileges to gain necessary permissions (not specified in source).
3. The attacker modifies the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\ or similar paths.
4. Specifically, the attacker adds or modifies registry values within the Exclusions key to exclude specific files, folders, or processes from Windows Defender scanning.
5. The attacker verifies the successful creation or modification of the exclusion by querying the registry.
6. Malicious code is then executed in the excluded location or process, bypassing Windows Defender’s real-time scanning.
7. The attacker maintains persistence by ensuring the exclusion remains active across reboots.
8. The attacker performs further malicious activities, such as data exfiltration or lateral movement, undetected by Windows Defender.

Impact

Successful modification of Windows Defender exclusion registry entries allows attackers to bypass antivirus protection. This can lead to the execution of malicious code without detection, enabling persistence, data exfiltration, and other malicious activities. The impact can range from individual system compromise to broader network infections, depending on the attacker’s objectives. Several malware families, including Remcos RAT, Qakbot, and XWorm, use this technique, demonstrating its widespread use. A Microsoft blog post referenced destructive malware targeting Ukrainian organizations, suggesting potential for significant operational disruption.

Recommendation

• Enable Sysmon Event ID 13 (RegistryEvent) to capture registry modifications, which is the data source required for the detections.
• Deploy the Sigma rule Detect Windows Defender Exclusion Added to identify suspicious registry modifications related to Windows Defender exclusions.
• Investigate any alerts generated by the Sigma rule, focusing on processes modifying the Windows Defender exclusion registry keys.
• Review and audit existing Windows Defender exclusions to identify any unauthorized or suspicious entries.
• Ensure the Sysmon TA is at least version 2.0 as mentioned in the content to properly ingest the logs from endpoints.

]]>highadvisorywindowsendpointregistrydefenderexclusiondefense-evasionmalwarehttps://feed.craftedsignal.io/briefs/2024-01-defender-exclusion/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-defender-exclusion/Adversaries use Add-MpPreference or Set-MpPreference commands to add exclusions in Windows Defender, allowing malicious code to execute undetected, and this activity can be detected via Endpoint Detection and Response (EDR) agents.Attackers often attempt to evade detection by security tools like Windows Defender. One common technique involves adding exclusions to prevent Defender from scanning or detecting malicious files, processes, or network activity. This is often achieved by using the Add-MpPreference or Set-MpPreference PowerShell cmdlets, which can modify Defender’s configuration. These commands are used to specify files, folders, or processes that Defender should ignore during scans. Once an exclusion is successfully added, malicious code can execute without being detected by Windows Defender. This is a significant concern for defenders because it directly undermines the effectiveness of the built-in antivirus solution. The activity detected here stems from endpoint telemetry and can often be associated with malware families such as Remcos RAT, AgentTesla, ValleyRAT, XWorm and others.

Attack Chain

1. Initial Access: The attacker gains initial access through various means, such as phishing emails or exploiting vulnerabilities in software.
2. Privilege Escalation: Once inside the system, the attacker escalates privileges to gain administrative access, which is required to modify Windows Defender settings.
3. Discovery: The attacker performs reconnaissance to understand the system’s configuration, including the presence and configuration of Windows Defender.
4. Defense Evasion: The attacker uses Add-MpPreference or Set-MpPreference in PowerShell to add exclusions to Windows Defender, targeting specific files, folders, or processes used by the malware. This bypasses real-time scanning and detection.
5. Execution: The attacker executes malicious code, which can now run without being detected by Windows Defender due to the added exclusions.
6. Persistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys, ensuring that the malicious code continues to run even after a system reboot. The exclusions remain in place to allow continued operation.
7. Command and Control: The malware establishes communication with a command and control (C2) server to receive further instructions and exfiltrate data.

Impact

Successful exploitation allows attackers to bypass Windows Defender, leading to undetected malware execution and potentially enabling further malicious activities, such as data theft, ransomware deployment, or system compromise. The number of affected systems depends on the scope of the initial compromise, but the impact can be widespread if the attacker gains access to critical systems.

Recommendation

• Enable Sysmon process creation logging to capture the command-line arguments used when adding Defender exclusions, which is essential for triggering the rules below.
• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious Add-MpPreference or Set-MpPreference usage and tune them to your environment.
• Investigate any instances of Add-MpPreference or Set-MpPreference commands, especially those initiated by unusual parent processes or users.
• Regularly review and audit Windows Defender exclusions to identify and remove any unauthorized or suspicious entries.
• Monitor the references for IoCs related to malware families abusing Windows Defender exclusions.

]]>highadvisorywindowsdefenderexclusiondefense-evasionendpoint