Doctor Web — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/doctor-web/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000AppLocker Registry Modification to Deny Security Software Executionhttps://feed.craftedsignal.io/briefs/2024-01-applocker-security-software-deny/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-applocker-security-software-deny/Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.Attackers can leverage AppLocker to modify the Windows registry to deny the execution of security products, effectively impairing defenses. This technique involves manipulating registry keys and values associated with AppLocker policies to block specific antivirus and security software. This activity is often associated with malware such as Azorult, which attempts to disable or bypass security measures. By successfully blocking security software, attackers can facilitate further malicious activities, such as malware installation, data exfiltration, and persistence within the compromised environment. Defenders should monitor for unusual AppLocker registry modifications that target known security product vendors to identify potential attempts to disable defenses.

Attack Chain

  1. Attacker gains initial access to the system through methods such as phishing or exploiting a vulnerability.
  2. Attacker elevates privileges to gain administrative access, required to modify AppLocker policies.
  3. Attacker modifies the registry keys associated with AppLocker policies, specifically targeting the Software Restriction Policies (SRP) to deny execution of security software.
  4. The attacker modifies the registry_value_data within HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\ to include Action=“Deny” for targeted security vendors like Symantec, McAfee, or Kaspersky.
  5. AppLocker policies are updated based on the modified registry settings.
  6. The targeted security software is prevented from executing, effectively disabling or impairing its functionality.
  7. Attacker proceeds to install malware, exfiltrate data, or establish persistence without interference from the disabled security software.
  8. The attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.

Impact

Successful exploitation can lead to a significant degradation of the security posture of the affected system. By disabling or impairing security software, attackers can bypass critical defenses and gain unfettered access to sensitive data and systems. This can lead to data breaches, financial losses, reputational damage, and disruption of business operations. The Azorult malware has been observed using this technique to disable security products.

Recommendation

  • Enable Sysmon Event ID 13 to monitor registry modifications and activate the provided Sigma rules (process_creation and registry_set).
  • Deploy the provided Sigma rules to detect AppLocker registry modifications targeting security software vendors and tune for your environment.
  • Investigate any alerts generated by the Sigma rules to identify potentially malicious activity, correlating with other endpoint telemetry.
  • Review and audit AppLocker policies to ensure they are configured correctly and not being used to block legitimate security software.
]]>highadvisoryapplockerdefense-evasionregistry-modification