Skip to content

Commit

Permalink
3
Browse files Browse the repository at this point in the history
  • Loading branch information
@MHaggis
MHaggis committed Apr 11, 2023
1 parent 363799e commit c55307a
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 24 deletions.
12 changes: 4 additions & 8 deletions detections/endpoint/disable_defender_antivirus_registry.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Disable Defender AntiVirus Registry
id: aa4f695a-3024-11ec-9987-acde48001122
version: 3
date: '2022-11-14'
version: 4
date: '2023-04-11'
author: Steven Dick, Teoderick Contreras, Splunk
type: TTP
datamodel:
Expand All @@ -11,12 +11,8 @@ description: This particular behavior is typically executed when an adversary or
detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled
task modifications will occur. During triage, review parallel processes and identify
any further file modifications. Endpoint should be isolated.
search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`]
| fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
Expand Down
12 changes: 4 additions & 8 deletions detections/endpoint/disable_defender_blockatfirstseen_feature.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Disable Defender BlockAtFirstSeen Feature
id: 2dd719ac-3021-11ec-97b4-acde48001122
version: 3
date: '2022-11-14'
version: 4
date: '2023-04-11'
author: Steven Dick, Teoderick Contreras, Splunk
type: TTP
datamodel:
Expand All @@ -10,12 +10,8 @@ description: This analytic is intended to detect a suspicious modification of th
a Windows Defender feature. This technique is intended to bypass or evade detection from
Windows Defender AV, specifically the BlockAtFirstSeen feature where it blocks
suspicious files the first time seen on the host.
search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`]
| fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
Expand Down
12 changes: 4 additions & 8 deletions detections/endpoint/disable_defender_mpengine_registry.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Disable Defender MpEngine Registry
id: cc391750-3024-11ec-955a-acde48001122
version: 3
date: '2022-11-14'
version: 4
date: '2023-04-11'
author: Steven Dick, Teoderick Contreras, Splunk
type: TTP
datamodel:
Expand All @@ -11,12 +11,8 @@ description: This particular behavior is typically executed when an adversary or
detections. Usually, a batch (.bat) file will be executed and multiple registry and scheduled
task modifications will occur. During triage, review parallel processes and identify
any further file modifications. Endpoint should be isolated.
search: '| tstats `security_content_summariesonly` count min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY _time span=1h Processes.user Processes.process_id Processes.process_name Processes.process Processes.process_path Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid
| `drop_dm_object_name(Processes)`
| join process_guid [
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`]
| fields firstTime lastTime dest user parent_process_name parent_process process_name process_path process registry_key_name registry_path registry_value_name registry_value_data process_guid
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
Expand Down

0 comments on commit c55307a

Please sign in to comment.