https://feed.craftedsignal.io/tags/registry-abuse/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 18:22:34 +0000https://feed.craftedsignal.io/briefs/2024-01-disabling-defender-services/Wed, 03 Jan 2024 18:22:34 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-disabling-defender-services/This brief covers the detection of adversaries disabling Windows Defender services by modifying specific registry keys to set the 'Start' value to '0x00000004', indicating an attempt to evade detection and maintain persistence.Attackers often disable Windows Defender services to evade detection and ensure the persistence of malware. This involves modifying specific registry keys that control the startup behavior of these services. By setting the ‘Start’ value to ‘0x00000004’, the services are effectively disabled, preventing them from running automatically. This activity is a strong indicator of malicious intent, as it directly interferes with the endpoint’s security mechanisms, leaving the system vulnerable to further compromise. The DFIR Report has documented this technique in the context of IcedID infections leading to XingLocker ransomware deployment.

Attack Chain

1. Initial access is gained through an initial vector (e.g., phishing).
2. The attacker obtains elevated privileges on the system.
3. The attacker identifies the registry keys corresponding to Windows Defender services such as WdBoot, WdFilter, WdNisDrv, WdNisSvc, WinDefend, and SecurityHealthService.
4. The attacker uses a tool like reg.exe or PowerShell to modify the Start value within these registry keys to 0x00000004. For example, reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v Start /t REG_DWORD /d 4 /f
5. The system’s security services are disabled, preventing real-time threat detection and response.
6. The attacker deploys and executes malware, such as IcedID or other payloads, without interference from Windows Defender.
7. The attacker establishes persistence mechanisms to maintain access to the compromised system.
8. Finally, the attacker may proceed to lateral movement, data exfiltration, or ransomware deployment.

Impact

Disabling Windows Defender services allows attackers to operate undetected on compromised systems, leading to potential data breaches, malware infections, and ransomware deployment. The DFIR Report details how IcedID malware employs this technique to facilitate XingLocker ransomware attacks. Successful execution results in complete loss of endpoint protection, increasing the risk of widespread infection and data compromise across the network.

Recommendation

• Enable Sysmon Event ID 13 (Registry Event) logging to monitor registry modifications (data_source).
• Deploy the Sigma rule “Detect Disabling of Windows Defender Services via Registry Modification” to your SIEM and tune for your environment.
• Investigate any alerts triggered by registry modifications to Defender service keys with a value of 0x00000004 to identify potentially compromised systems.
• Correlate registry modification events with process creation events to identify the source of the malicious activity.
• Monitor for processes accessing or modifying registry keys related to Windows Defender services (affected_products).

]]>highadvisorydefense-evasionpersistencewindowsregistry-abusehttps://feed.craftedsignal.io/briefs/2024-01-disable-app-install-control/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-disable-app-install-control/Attackers modify the Windows Registry to disable Windows Defender SmartScreen App Install Control, potentially allowing the installation of malicious web-based applications without restrictions, leading to system compromise and sensitive information exposure.Attackers are disabling the Windows Defender SmartScreen App Install Control feature by modifying specific registry keys. This action circumvents a built-in Windows security control designed to prevent the installation of potentially malicious applications downloaded from the web. This allows for the installation of harmful applications without user prompts or restrictions, significantly increasing the risk of system compromise. This behavior, while not commonly seen in default configurations, allows for increased attack opportunities. The targeting scope includes Windows systems where the App Install Control feature is enabled, and success allows for further malicious payloads to be executed.

Attack Chain

1. An attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker escalates privileges to gain administrative rights if necessary.
3. The attacker uses a command-line tool like reg.exe or PowerShell to modify the registry.
4. The attacker modifies the ConfigureAppInstallControl value under the HKLM:\SOFTWARE\Microsoft\Windows Defender\SmartScreen registry key.
5. The attacker sets the ConfigureAppInstallControl value to “Anywhere” or modifies ConfigureAppInstallControlEnabled to “0x00000000”.
6. The Windows Defender SmartScreen App Install Control is disabled.
7. The attacker downloads and executes a malicious application from the web.
8. The malicious application compromises the system, potentially leading to data theft or further malicious activities.

Impact

Disabling the App Install Control can lead to the installation of malware, potentially affecting a large number of systems. This can result in data breaches, financial loss, and reputational damage. If successful, the attackers gain the ability to bypass built-in security features, increasing the likelihood of a successful compromise.

Recommendation

• Enable Sysmon EventID 13 logging to monitor registry modifications (reference: Sysmon EventID 13 data source).
• Deploy the Sigma rule provided in this brief to your SIEM to detect the modification of the specific registry keys related to App Install Control (reference: Sigma rule).
• Investigate any alerts generated by this rule to determine if the activity is malicious.
• Implement Group Policy settings to prevent users from modifying these registry keys (reference: Registry.registry_path and Registry.registry_value_data in the Sigma rule).

]]>highadvisorydefense-evasionregistry-abusewindowshttps://feed.craftedsignal.io/briefs/2024-01-win-defender-registry-deletion/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-win-defender-registry-deletion/Detection of Windows Defender profile registry key deletion, indicating potential defense evasion by malware or threat actors aiming to disable security controls.This analytic detects the deletion of the Windows Defender main profile registry key, a technique used by attackers to impair endpoint defenses. The deletion is monitored via Sysmon EventID 13, specifically looking for ‘deleted’ actions within the Windows Defender registry path. This activity is often associated with Remote Access Trojans (RATs) and other malware, as seen in campaigns like the “LazyScripter” RAT detailed by Malwarebytes in February 2021. Successful deletion of this key can disable Windows Defender, allowing attackers to operate with reduced visibility and resistance, enabling further malicious activities on the compromised system. The “LazyScripter” RAT, for example, uses similar techniques to disable security products.

Attack Chain

1. Initial access is gained through an unknown vector (e.g., phishing, exploit).
2. The attacker obtains elevated privileges on the system.
3. The attacker uses a process (e.g., cmd.exe, powershell.exe) to interact with the registry.
4. The process attempts to delete the Windows Defender profile registry key: HKLM\SOFTWARE\Policies\Microsoft\Windows Defender.
5. Sysmon Event ID 13 logs the registry key deletion event.
6. Windows Defender is disabled or its configuration is altered due to the registry change.
7. The attacker proceeds with deploying malware or performing malicious activities without interference from Windows Defender.
8. Data exfiltration or other objectives are achieved.

Impact

Successful deletion of the Windows Defender profile registry key can severely compromise endpoint security. By disabling or weakening Windows Defender, attackers can operate with reduced visibility, allowing them to deploy malware, steal sensitive data, or establish persistent access without detection. This can lead to data breaches, financial loss, and reputational damage. The scope can range from a single endpoint to an entire organization, depending on the attacker’s objectives and the extent of the compromise.

Recommendation

• Enable Sysmon Event ID 13 to monitor registry modifications and deletions, which is crucial for triggering the detections in this brief.
• Deploy the Sigma rules provided in this brief to your SIEM and tune them based on your environment to minimize false positives and ensure accurate detection.
• Investigate any alerts generated by these rules promptly to identify and contain potential defense evasion attempts.
• Review and harden registry permissions to prevent unauthorized modifications to critical security settings such as the Windows Defender profile.

]]>highadvisorydefense-evasionregistry-abusewindowshttps://feed.craftedsignal.io/briefs/2024-01-defender-phishing-filter-override/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-defender-phishing-filter-override/The analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter, potentially allowing attackers to deceive users into visiting malicious websites without browser warnings.This detection focuses on identifying attempts to disable the Windows Defender phishing filter by modifying specific registry values. Attackers may attempt to disable this security feature to increase the likelihood of successful phishing attacks, where users are tricked into visiting malicious websites. The detection leverages Sysmon Event ID 13 to monitor changes to registry values associated with Microsoft Edge’s phishing filter settings. Disabling this filter allows malicious actors to deceive users into visiting harmful websites without triggering browser warnings. This can lead to potential security incidents, such as malware infections or credential theft, if users unknowingly access compromised sites.

Attack Chain

1. An attacker gains initial access through social engineering or other means.
2. The attacker obtains administrative privileges on the target system, if necessary.
3. The attacker uses a script or command-line tool (e.g., reg.exe, PowerShell) to modify the Windows Registry.
4. The script or command modifies the registry key HKLM\SOFTWARE\Policies\Microsoft\Edge\PhishingFilter or HKCU\SOFTWARE\Microsoft\Edge\PhishingFilter.
5. The registry value “EnabledV9” or “PreventOverride” is set to “0x00000000” to disable the phishing filter.
6. The attacker verifies that the phishing filter is disabled in Microsoft Edge.
7. The attacker launches a phishing campaign, directing users to malicious websites.
8. Users, unaware of the disabled phishing filter, may visit the malicious websites, potentially leading to malware infection or data compromise.

Impact

Successful disabling of the Windows Defender phishing filter can significantly increase the risk of successful phishing attacks. Users may unknowingly visit malicious websites, leading to malware infections, credential theft, or other data compromises. This can result in financial losses, reputational damage, and disruption of business operations. While the exact number of potential victims is unknown, the impact could be widespread if the attack is successful on multiple systems within an organization.

Recommendation

• Enable Sysmon Event ID 13 to collect registry modification events, as this is required for the detections in this brief.
• Deploy the Sigma rule “Windows Defender Phishing Filter Override via Registry Modification” to your SIEM and tune for your environment.
• Investigate any detected instances of registry modifications to the *\MicrosoftEdge\PhishingFilter* path, especially when registry_value_data is set to “0x00000000”.
• Educate users about the risks of phishing attacks and encourage them to be cautious when clicking on links or opening attachments from unknown sources.

]]>highadvisorydefense-evasionwindowsregistry-abusehttps://feed.craftedsignal.io/briefs/2024-01-03-disable-auto-logger/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-disable-auto-logger/An attacker disables Windows AutoLogger sessions by modifying specific registry values to evade defenses and blind EDR and log ingest tools.Attackers are known to disable Windows AutoLogger sessions to impair defenses and evade detection. This technique involves modifying specific registry values associated with AutoLogger sessions and their providers, effectively blinding EDR solutions and log ingest tools. By setting the “Start” or “Enabled” values under the \WMI\Autologger\ registry key to 0x00000000, adversaries can stop the collection of crucial event data. This activity is often observed post-compromise, as a means to conceal further malicious actions and maintain persistence on the affected system. Malware such as IcedID and ransomware variants have been observed using similar techniques to impair logging and detection capabilities. The scope of this threat includes any Windows system where adversaries have gained sufficient privileges to modify registry settings related to event logging.

Attack Chain

1. Initial Access: The attacker gains initial access to the target system through methods such as phishing or exploiting a software vulnerability.
2. Privilege Escalation: The attacker escalates privileges to gain administrative access, allowing them to modify system-level settings.
3. Discovery: The attacker identifies the registry keys associated with Windows AutoLogger sessions, typically located under HKLM\System\CurrentControlSet\Control\WMI\Autologger.
4. Defense Evasion: The attacker modifies the Start or Enabled registry values for specific AutoLogger sessions or providers within the \WMI\Autologger\ path. The values are set to 0x00000000 to disable the logging session.
5. Persistence: The attacker may establish persistence through various methods.
6. Lateral Movement: The attacker moves laterally to other systems on the network, repeating the defense evasion steps to blind security tools across the environment.
7. Data Exfiltration/Ransomware Deployment: With logging impaired, the attacker proceeds to exfiltrate sensitive data or deploy ransomware, hindering incident response efforts.

Impact

Successful execution of this attack can severely impair an organization’s ability to detect and respond to security incidents. By disabling AutoLogger sessions, attackers effectively blind EDR solutions and prevent the collection of critical event data. This can lead to delayed detection of malicious activity, increased dwell time, and ultimately, greater damage from data breaches or ransomware attacks. Several campaigns, including those involving IcedID and XingLocker ransomware, have leveraged similar techniques.

Recommendation

• Enable Sysmon EventID 13 to monitor registry modifications, as specified in the data_source section.
• Deploy the Sigma rule Disable AutoLogger Session to detect changes to AutoLogger registry values.
• Investigate any alerts generated by the Sigma rule Disable AutoLogger Session to determine if the activity is malicious.
• Review and harden registry permissions to prevent unauthorized modifications to critical system settings.
• Utilize the windows_impair_defenses_disable_auto_logger_session_filter macro (referenced in the original Splunk search) to tune detections and reduce false positives.

]]>highadvisorydefense-evasionwindowsregistry-abuse