{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/avast/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["applocker","defense-evasion","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Symantec","McAfee","Kaspersky","Panda Security","SysTweak Software","Trend Micro","Avast","Gridinsoft","Microsoft","NANO Security","SUPERAntiSpyware.com","Doctor Web","Malwarebytes","ESET","Avira","Webroot","Splunk"],"content_html":"\u003cp\u003eAttackers can leverage AppLocker to modify the Windows registry to deny the execution of security products, effectively impairing defenses. This technique involves manipulating registry keys and values associated with AppLocker policies to block specific antivirus and security software. This activity is often associated with malware such as Azorult, which attempts to disable or bypass security measures. By successfully blocking security software, attackers can facilitate further malicious activities, such as malware installation, data exfiltration, and persistence within the compromised environment. Defenders should monitor for unusual AppLocker registry modifications that target known security product vendors to identify potential attempts to disable defenses.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker elevates privileges to gain administrative access, required to modify AppLocker policies.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the registry keys associated with AppLocker policies, specifically targeting the Software Restriction Policies (SRP) to deny execution of security software.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eregistry_value_data\u003c/code\u003e within \u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SrpV2\\\u003c/code\u003e to include Action=\u0026ldquo;Deny\u0026rdquo; for targeted security vendors like Symantec, McAfee, or Kaspersky.\u003c/li\u003e\n\u003cli\u003eAppLocker policies are updated based on the modified registry settings.\u003c/li\u003e\n\u003cli\u003eThe targeted security software is prevented from executing, effectively disabling or impairing its functionality.\u003c/li\u003e\n\u003cli\u003eAttacker proceeds to install malware, exfiltrate data, or establish persistence without interference from the disabled security software.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a significant degradation of the security posture of the affected system. By disabling or impairing security software, attackers can bypass critical defenses and gain unfettered access to sensitive data and systems. This can lead to data breaches, financial losses, reputational damage, and disruption of business operations. The Azorult malware has been observed using this technique to disable security products.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 to monitor registry modifications and activate the provided Sigma rules (process_creation and registry_set).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect AppLocker registry modifications targeting security software vendors and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to identify potentially malicious activity, correlating with other endpoint telemetry.\u003c/li\u003e\n\u003cli\u003eReview and audit AppLocker policies to ensure they are configured correctly and not being used to block legitimate security software.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-applocker-security-software-deny/","summary":"Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.","title":"AppLocker Registry Modification to Deny Security Software Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-applocker-security-software-deny/"}],"language":"en","title":"CraftedSignal Threat Feed — Avast","version":"https://jsonfeed.org/version/1.1"}