Defence Evasion (TA0005) Techniques

Introduction

Forensically investigating defence evasion involves understanding and identifying the methods used by attackers to avoid detection and bypass security measures on workstations and server systems. Defence evasion is a critical tactic in the MITRE ATT&CK framework, and it includes techniques like disabling security software, deleting logs, obfuscation, rootkits, privilege escalation, and more.

Understanding Defence Evasion Techniques

• Disabling Security Software: Check for evidence of disabled or tampered antivirus, firewalls, or other security tools.

• Log Tampering: Look for signs of altered or deleted logs.

• Obfuscation and Encoding: Identify the use of obfuscation in scripts and commands to evade detection.

• Rootkits: Search for evidence of rootkits that hide malicious activity.

• File Deletion and Hiding: Investigate techniques to hide or delete files.

• Privilege Escalation: Ascertain if elevation of privileges was part of the evasion strategy.

Data Collection and Preservation

• Forensic Imaging: Create complete images of affected systems using tools like FTK Imager or dd.

• Memory Capture: Use tools like WinPmem or Magnet RAM Capture for memory imaging.

• Log Collection: Gather all relevant logs, including security, system, and application logs.

Investigation of Security Software Tampering

• Antivirus and EDR Logs: Check the logs of antivirus or EDR solutions for signs of deactivation or bypass.

• Firewall Configuration: Review firewall settings for unauthorised changes.

• Windows Defender: Look for changes in Windows Defender settings, especially using PowerShell commands or Group Policy modifications.

Log Analysis

• Event Logs: Examine Windows Event Logs for evidence of cleared logs (Event ID 1102 for Windows security log clearance).

• SIEM Systems: If a SIEM system is in use, analyse it for gaps or inconsistencies in log data.

• Security Log Review: Examine logs for signs of clearing or tampering (e.g., Windows Event ID 1102 indicates security log clearance).

• Audit Log Settings: Verify if audit settings were altered to evade detection.

• File Access Logs: Check logs for access to sensitive files or logs by unauthorised users or processes.

Investigating Obfuscation Techniques

• Script Analysis: Examine any found scripts for obfuscation techniques like base64 encoding, concatenation, or use of uncommon scripting languages.

• Command-Line Analysis: Review command-line history for obfuscated or encoded commands.

Rootkit Detection

• Rootkit Scanners: Utilize rootkit detection tools like GMER or Rootkit Revealer.

• Memory Analysis: Analyse system memory for signs of kernel-level rootkits.

Analysis of File and Directory Changes

• File Integrity Monitoring Tools: Review reports from file integrity monitoring solutions.

• Recycle Bin Analysis: Check the Recycle Bin for recently deleted files.

• Alternate Data Streams: Search for hidden data in NTFS Alternate Data Streams.

Network Traffic Analysis

• Network Monitoring Tools: Use tools like Wireshark or tcpdump to analyse network traffic for signs of data exfiltration or C2 communication.

• DNS Query Logs: Review DNS logs for unusual or repeated queries, which could indicate covert channels.

Use of Specialised Forensic Tools

• Forensic Suites: Tools like EnCase, AXIOM Cyber, Binalyze-Air or Autopsy for comprehensive system analysis.

• Sysinternals Suite: Tools like Process Explorer, Autoruns, and TCPView for detailed system analysis.

Documentation and Reporting

• Detailed Documentation: Keep a detailed record of all findings, tools used, and methods applied.

• Forensic Report: Prepare a comprehensive report detailing the evasion techniques identified and their impact.

Post-Investigation Actions

• Remediation and Mitigation: Implement security measures to counter the identified evasion techniques.

• Recovery: Restore systems from clean backups if necessary.

• Security Posture Enhancement: Update security policies and tools based on findings.

Key Considerations

• Chain of Custody: Maintain an accurate chain of custody for all evidence.

• Legal and Compliance: Ensure compliance with legal and organisational guidelines during the investigation.

• Confidentiality and Integrity: Maintain confidentiality and integrity of data throughout the investigation process.

Each case of defence evasion can be unique, requiring a tailored approach depending on the specifics of the incident and the environment.

Using KQL to Investigate Privilege Escalation Activities in an Environment Using Defender/Sentinel

Defence Evasion techniques allow adversaries to avoid detection throughout their compromise activities.

1. T1027 - Obfuscated Files or Information

Objective: Detect the use of obfuscation techniques to hide malicious code or evade detection.

1. Detect Obfuscated PowerShell Scripts

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine matches regex @"-e\s*[A-Za-z0-9+/=]+" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify obfuscated PowerShell commands using encoded scripts.

1. Monitor for Suspicious Command Line Encodings

DeviceProcessEvents | where ProcessCommandLine matches regex @"(?i)-encodedcommand\s+[A-Za-z0-9+/=]{50,}" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect suspicious command-line encodings that may indicate obfuscation.

1. Identify Obfuscated Batch Scripts

DeviceProcessEvents | where FileName == "cmd.exe" and ProcessCommandLine has_any ("^", "%") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for batch scripts with obfuscated commands.

1. Detect Obfuscated JavaScript Files

DeviceFileEvents | where FileExtension == ".js" and FileContent contains "eval" and FileContent matches regex @"(?i)base64" | project Timestamp, DeviceName, FileName, FolderPath

Purpose: Identify obfuscated JavaScript files that may contain hidden malicious code.

1. Monitor for Obfuscated Scripts in Office Macros

DeviceProcessEvents | where InitiatingProcessFileName in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") and ProcessCommandLine matches regex @"(?i)base64" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect obfuscated scripts embedded in Office macros.

1. Identify Suspicious Use of XOR Encoding

DeviceProcessEvents | where ProcessCommandLine has "xor" and ProcessCommandLine has_any ("powershell", "cmd.exe", "wscript.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of XOR encoding in commands, which may be used to obfuscate malicious actions.

1. Detect Obfuscated PowerShell Commands with Special Characters

DeviceProcessEvents | where ProcessCommandLine has "powershell" and ProcessCommandLine contains_any ("$()", "`", "%%", "^") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify PowerShell commands using special characters for obfuscation.

1. Monitor for Use of Obfuscation Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("ConfuserEx", "obfuscator", "Dotfuscator") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of known obfuscation tools that may be used to evade detection.

1. Identify Scripts Using Base64 Encoding

DeviceProcessEvents | where ProcessCommandLine has_any ("base64", "decode") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for scripts using Base64 encoding to obscure their content.

1. Detect Obfuscated Malware Executables

DeviceFileEvents | where FileExtension == ".exe" and FileName matches regex @"^[A-Fa-f0-9]{32}$" | project Timestamp, DeviceName, FileName, FolderPath

Purpose: Identify obfuscated malware executables with hexadecimal filenames.

2. T1070 - Indicator Removal on Host

Objective: Detect attempts to delete or alter artifacts to remove evidence of an intrusion.

1. Detect Clearing of Windows Event Logs

DeviceProcessEvents | where ProcessCommandLine has "wevtutil" and ProcessCommandLine has "cl" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify attempts to clear Windows event logs using wevtutil.

1. Monitor for Deletion of Prefetch Files

DeviceFileEvents | where FolderPath endswith "Prefetch" and FileOperation == "Delete" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect deletion of prefetch files which may be used to cover tracks.

1. Identify Clearing of Security Event Logs

DeviceProcessEvents | where ProcessCommandLine has "Clear-EventLog" and ProcessCommandLine has "Security" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for clearing of security event logs using PowerShell.

1. Detect Attempts to Delete Log Files

DeviceFileEvents | where FolderPath has_any ("\\Logs", "\\LogFiles") and FileOperation == "Delete" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify attempts to delete log files, which could indicate a cover-up.

1. Monitor for Use of auditpol to Disable Logging

DeviceProcessEvents | where ProcessCommandLine has "auditpol" and ProcessCommandLine has "/disable" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect attempts to disable audit logging using auditpol.

1. Identify Tampering with Windows Defender Logs

DeviceFileEvents | where FolderPath has "C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History" and FileOperation == "Delete" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for tampering with Windows Defender logs.

1. Detect Disabling of Windows Event Logging Services

DeviceServiceEvents | where ActionType == "ServiceStopped" and ServiceName == "EventLog" | project Timestamp, DeviceName, ServiceName, InitiatingProcessAccountName

Purpose: Identify attempts to disable Windows Event Logging services.

1. Monitor for Changes to Windows Firewall Logs

DeviceFileEvents | where FolderPath has "C:\\Windows\\System32\\LogFiles\\Firewall" and FileOperation == "Delete" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect deletion or tampering with Windows Firewall logs.

1. Identify Deletion of Registry Keys Related to Logging

DeviceRegistryEvents | where RegistryKey has "HKLM\\System\\CurrentControlSet\\Services\\EventLog" and RegistryValueName == "Start" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for deletion of registry keys associated with logging.

1. Detect Modifications to Log Retention Policies

DeviceRegistryEvents | where RegistryKey has "HKLM\\System\\CurrentControlSet\\Services\\EventLog" and RegistryValueName == "Retention" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify changes to log retention policies that may be aimed at reducing forensic visibility.

3. T1112 - Modify Registry

Objective: Detect unauthorized modifications to the Windows Registry that may be used to evade detection.

1. Detect Modifications to Security-Related Registry Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for modifications to registry keys related to security settings.

1. Identify Changes to Userinit Key

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Detect modifications to the Userinit registry key that could be used for persistence and evasion.

1. Monitor for Disabling of Windows Defender via Registry

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Policies\\Microsoft\\Windows Defender" and RegistryValueName == "DisableAntiSpyware" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify registry changes that disable Windows Defender.

1. Detect Changes to UAC Settings in Registry

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" and RegistryValueName == "EnableLUA" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for modifications to User Account Control (UAC) settings.

1. Identify Modifications to Auto-Run Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Detect changes to auto-run registry keys that may be used for persistence and evasion.

1. Monitor for Changes to Windows Firewall Rules via Registry

DeviceRegistryEvents | where RegistryKey == "HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" and RegistryValueName == "EnableFirewall" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify registry modifications that disable or weaken Windows Firewall rules.

1. Detect Changes to Registry Keys Associated with LSA Protection

DeviceRegistryEvents | where RegistryKey == "HKLM\\System\\CurrentControlSet\\Control\\Lsa" and RegistryValueName == "RunAsPPL" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for changes to LSA (Local Security Authority) protection settings.

1. Identify Tampering with Logging Settings in Registry

DeviceRegistryEvents | where RegistryKey == "HKLM\\System\\CurrentControlSet\\Services\\EventLog\\Security" and RegistryValueName == "MaxSize" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Detect tampering with log size limits in the registry.

1. Monitor for Changes to SMB Signing Settings in Registry

DeviceRegistryEvents | where RegistryKey == "HKLM\\System\\CurrentControlSet\\Services\\LanmanServer\\Parameters" and RegistryValueName == "EnableSecuritySignature" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify changes to SMB signing settings that could be used to weaken network security.

1. Detect Modifications to Registry Keys Related to Credential Storage

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" and RegistryValueName == "CachedLogonsCount" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for changes to registry keys that affect the storage of cached credentials.

4. T1218 - System Binary Proxy Execution

Objective: Detect the use of trusted system binaries to execute malicious code and evade detection.

1. Detect Use of mshta.exe for Malicious Scripts

DeviceProcessEvents | where FileName == "mshta.exe" and ProcessCommandLine has_any (".vbs", ".js", "http") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of mshta.exe to execute scripts from external sources.

1. Monitor for Execution via rundll32.exe

DeviceProcessEvents | where FileName == "rundll32.exe" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountNam

Purpose: Detect the use of rundll32.exe to execute DLLs.

1. Identify Execution of Suspicious Scripts via wscript.exe or cscript.exe

DeviceProcessEvents | where FileName in ("wscript.exe", "cscript.exe") and ProcessCommandLine has_any (".vbs", ".js") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the execution of scripts via wscript.exe or cscript.exe.

1. Detect Use of regsvr32.exe to Execute Remote Scripts

DeviceProcessEvents | where FileName == "regsvr32.exe" and ProcessCommandLine has "http" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of regsvr32.exe to execute remote scripts.

1. Monitor for Execution via cmd.exe or powershell.exe

DeviceProcessEvents | where FileName in ("cmd.exe", "powershell.exe") and ProcessCommandLine has_any ("wget", "curl", "Invoke-WebRequest") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of cmd.exe or powershell.exe to download and execute content from the web.

6. Identify Use of bitsadmin.exe for File Transfers

DeviceProcessEvents | where FileName == "bitsadmin.exe" and ProcessCommandLine has_any ("Transfer", "Upload", "Download") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of bitsadmin.exe to transfer files.

7. Detect Use of control.exe to Execute Malicious Content

DeviceProcessEvents | where FileName == "control.exe" and ProcessCommandLine has_any ("msc", ".cpl") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of control.exe to execute control panel items maliciously.

1. Monitor for Execution of Malicious Content via odbcconf.exe

DeviceProcessEvents | where FileName == "odbcconf.exe" and ProcessCommandLine has "/S" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of odbcconf.exe to execute ODBC configuration scripts.

1. Identify Malicious Use of iexpress.exe

DeviceProcessEvents | where FileName == "iexpress.exe" and ProcessCommandLine has_any ("SED", "package") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of iexpress.exe to create or execute malicious self-extracting packages.

1. Detect Execution of Malicious Macros via msiexec.exe

DeviceProcessEvents | where FileName == "msiexec.exe" and ProcessCommandLine has "/q" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the use of msiexec.exe to execute malicious MSI files silently.

5. T1036 - Masquerading

Objective: Detect attempts to rename files or use file names that mimic legitimate files to evade detection.

1. Detect Processes Running with Suspicious File Names

DeviceProcessEvents | where FileName has_any ("explorer.exe", "svchost.exe", "winlogon.exe") and FolderPath has_not "C:\\Windows\\System32" | project Timestamp, DeviceName, ProcessCommandLine, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify processes running with common Windows file names from non-standard locations.

1. Monitor for Files Created with System File Names

DeviceFileEvents | where FileName has_any ("svchost.exe", "taskhost.exe", "lsass.exe") and FolderPath has_not "C:\\Windows\\System32" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect creation of files with system file names in unusual directories.

1. Identify Suspicious Use of Extensionless Executables

DeviceProcessEvents | where FileName has_not ".exe" and ProcessCommandLine has_any ("powershell", "cmd", "wscript") | project Timestamp, DeviceName, ProcessCommandLine, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for execution of extensionless files that may be used to hide malicious activity.

1. Detect Renaming of Known Tools to Bypass Detection

DeviceProcessEvents | where FileName has_any ("notepad.exe", "calc.exe") and ProcessCommandLine has_any ("mimikatz", "nc.exe") | project Timestamp, DeviceName, ProcessCommandLine, FileName, InitiatingProcessAccountName

Purpose: Identify the renaming of known hacking tools to legitimate Windows file names.

1. Monitor for Use of Hidden Files and Directories

DeviceFileEvents | where FolderPath startswith "C:\\ProgramData" and FileName startswith "." | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect creation or use of hidden files and directories.

1. Identify Executables Using Double File Extensions

DeviceFileEvents | where FileName endswith (".exe.txt", ".doc.exe", ".pdf.exe") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for files using double extensions to masquerade as non-executable files.

1. Detect Execution of Renamed Windows Utilities

DeviceProcessEvents | where ProcessCommandLine has_any ("cmd.exe", "powershell.exe", "rundll32.exe") and ProcessCommandLine has_any ("svchost", "lsass", "taskmgr") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the execution of renamed Windows utilities.

1. Monitor for DLLs Masquerading as System Files

DeviceFileEvents | where FileExtension == ".dll" and FileName has_any ("shell32.dll", "kernel32.dll") and FolderPath has_not "C:\\Windows\\System32" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect DLLs that are masquerading as legitimate system files.

1. Identify Renaming of Malicious Scripts to Safe Extensions

DeviceFileEvents | where FileExtension in (".txt", ".log") and FileName has_any (".ps1", ".vbs", ".js") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for the renaming of malicious scripts to file types that are generally considered safe.

1. Detect Creation of Shortcut Files with Misleading Icons

DeviceFileEvents | where FileExtension == ".lnk" and FileName has_any ("notepad.lnk", "cmd.lnk", "explorer.lnk") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify the creation of shortcut files that are designed to mislead users into executing malicious content.

6. T1078 - Valid Accounts

Objective: Detect the use of valid accounts to avoid detection or gain unauthorized access.

1. Detect Unusual Logon Activity for Privileged Accounts

IdentityLogonEvents | where AccountName endswith "admin" or AccountName endswith "administrator" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Monitor for unusual logon activity involving privileged accounts.

1. Identify Logons Using Service Accounts

IdentityLogonEvents | where AccountName startswith "svc_" or AccountName endswith "_svc" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Detect logons using service accounts that may be used to evade detection.

1. Monitor for Use of Default or Well-Known Accounts

IdentityLogonEvents | where AccountName in ("Administrator", "Guest", "DefaultAccount") | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Identify the use of default or well-known accounts.

1. Detect Logons During Unusual Hours

IdentityLogonEvents | where LogonTime between (datetime(22:00:00) .. datetime(06:00:00)) | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Monitor for logon activity outside of normal business hours that may indicate unauthorized access.

1. Identify Logons Using Expired or Disabled Accounts

IdentityLogonEvents | where AccountEnabled == "false" or AccountExpires < now() | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Detect attempts to use expired or disabled accounts.

1. Monitor for Remote Logons Using Valid Accounts

IdentityLogonEvents | where LogonType == "RemoteInteractive" or LogonType == "Network" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Identify remote logons using valid accounts that may be part of lateral movement.

1. Detect Sudden Changes in Privileges for Accounts

IdentityLogonEvents | where PrivilegeElevated == "true" and AccountName has_not_any ("admin", "administrator") | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Monitor for sudden changes in privileges for non-admin accounts.

1. Identify Use of Stolen Credentials

IdentityLogonEvents | where LogonResult == "Failed" and AccountName has_any ("admin", "administrator", "svc_") | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Detect failed logon attempts that may indicate the use of stolen credentials.

1. Monitor for Suspicious Logons Using Valid Accounts

IdentityLogonEvents | where AccountName has_any ("admin", "administrator", "svc_") and LogonType == "Interactive" | project Timestamp, AccountName, AccountDomain, LogonType, DeviceName

Purpose: Identify suspicious logons using valid accounts that typically do not log on interactively.

1. Detect Use of Valid Accounts for Unusual Processes

DeviceProcessEvents | where InitiatingProcessAccountName has_any ("admin", "administrator", "svc_") and ProcessCommandLine has_not_any ("cmd.exe", "powershell.exe", "explorer.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the use of valid accounts by processes that are not typically associated with administrative tasks.

7. T1202 - Indirect Command Execution

Objective: Detect indirect methods of command execution, such as using legitimate tools or services, to evade detection.

1. Detect Execution via Scheduled Tasks

DeviceProcessEvents | where ProcessCommandLine has "schtasks /create" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName`

Purpose: Identify the creation of scheduled tasks for indirect command execution.

1. Monitor for Execution via Registry Auto-Run Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Detect execution of commands via registry auto-run keys.

1. Identify Commands Executed via WMI

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has_any ("process call create", "path win32_process") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for commands executed via Windows Management Instrumentation (WMI).

1. Detect Indirect Execution via COM Object Hijacking

DeviceProcessEvents | where ProcessCommandLine has "regsvr32.exe" and ProcessCommandLine has ".dll" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify indirect command execution via COM object hijacking.

1. Monitor for Execution via Service Binary

DeviceProcessEvents | where ProcessCommandLine has "sc config" and ProcessCommandLine has "binpath=" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect modification of service binaries for indirect command execution.

1. Identify Execution via Task Scheduler

DeviceProcessEvents | where ProcessCommandLine has "schtasks" and ProcessCommandLine has_any ("/TN", "/TR", "/SC") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the creation of scheduled tasks that execute commands indirectly.

1. Detect Execution via Office Macros

DeviceProcessEvents | where ProcessCommandLine has_any ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE") and ProcessCommandLine has "macro" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify command execution through Office macros.

1. Monitor for Execution via Remote Desktop Services

DeviceLogonEvents | where LogonType == "RemoteInteractive" | summarize count() by TargetUserName, DeviceName, LogonTime

Purpose: Detect command execution through Remote Desktop Services.

1. Identify Execution via Group Policy Objects (GPOs)

DeviceProcessEvents | where ProcessCommandLine has "gpo.ps1" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for commands executed via GPO scripts.

1. Detect Execution via Software Deployment Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("ccmexec.exe", "msiexec.exe") and ProcessCommandLine has "/i" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify command execution using software deployment tools

8. T1497 - Virtualization/Sandbox Evasion

Objective: Detect techniques used to evade detection in virtualized or sandboxed environments.

1. Detect Queries for Virtual Machine Artifacts

DeviceProcessEvents | where ProcessCommandLine has_any ("vmware", "VirtualBox", "Hyper-V", "vbox") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify processes querying for virtualization-related artifacts.

1. Monitor for Use of CPUID Instruction

DeviceProcessEvents | where ProcessCommandLine has "cpuid" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of the CPUID instruction to identify virtualization.

1. Identify Execution of Known Sandbox Detection Tools

DeviceProcessEvents | where ProcessCommandLine has_any ("sandbox", "unpack", "vm") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for execution of tools designed to detect sandboxes or virtual environments.

1. Detect Time Delay Execution

DeviceProcessEvents | where ProcessCommandLine has_any ("sleep", "timeout") and ProcessCommandLine matches regex @"\d{5,}" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify processes that include long time delays to evade sandbox detection.

1. Monitor for Use of Anti-Debugging Techniques

DeviceProcessEvents | where ProcessCommandLine has_any ("IsDebuggerPresent", "CheckRemoteDebuggerPresent") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect anti-debugging techniques used to evade detection in analysis environments.

1. Identify Processes Checking for Mouse or Keyboard Input

DeviceProcessEvents | where ProcessCommandLine has_any ("GetAsyncKeyState", "GetCursorPos") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for processes that check for user input to determine if they are running in a sandbox.

1. Detect Processes Checking for Sandbox Registry Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\System\\CurrentControlSet\\Services\\Disk\\Enum", "HKLM\\Software\\VMware, Inc.") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, InitiatingProcessAccountName

Purpose: Identify processes querying for registry keys associated with virtualization.

1. Monitor for Network Artifacts of Virtualization

DeviceNetworkEvents | where RemoteIP in ("192.168.56.1", "192.168.1.1", "10.0.2.15") | project Timestamp, DeviceName, RemoteIP, InitiatingProcessAccountName

Purpose: Detect network traffic indicative of virtualized environments.

1. Identify Processes Checking for Virtualized CPU Features

DeviceProcessEvents | where ProcessCommandLine has_any ("inl %ebx", "mov %ecx, %eax") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for low-level CPU instructions that may be used to detect virtualization.

1. Detect Processes Attempting to Disable Virtualization Detection

DeviceProcessEvents | where ProcessCommandLine has_any ("vmmemctl", "vmxnet3", "vmtoolsd") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify processes attempting to disable or interfere with virtualization detection mechanisms.