Windows Downgrade Detections, Updates Sabotage Dire Straits (Part 1)

-

 

There is never necessarily a good time for Windows updates, but if you are running Windows and care about security, you're going to have to do it eventually, right?

Some Threat Actors would prefer that those updates remain uninstalled though, this blog and the research that went into it is inspired by this Scadafence paper entitled "Anatomy of a Targeted Ransomware Attack" which includes this list, pay particular attention to 2.

"Disabling Windows updates", this got me thinking. I had a look through ATT&CK to try to map this TTP but to no avail, asking in the ATT&CK Slack I think "Impair Defenses: Disable or Modify Tools" (T1562.001) or "Service Stop" (T1489) seem most appropriate, but I'll leave it up to you as it could fit under a few techniques.

I couldn't find any detections for this, so I decided to make my own and share them.

Why would a threat actor want to stop Windows updates or even roll them back? I think TAs, especially in the ransomware space, frequently find themselves chasing recent publicised vulnerabilities before they are patched. If persistence or backup methods of accessing the affected system have not been established you want to make sure that patching will not prevent a repeat of initial access, if the vulnerability is how that was achieved. Personally I think this could also be really useful inside of an enterprise network, because leaving an internet facing system vulnerable to a recent exploit is just asking for other TAs to rain on your parade.

For this blog I've used a batch file by "Windows 10 Update Disabler", then the resulting event data is ingested into Splunk. Because vanilla Windows event logging is so predictable though, both in format and content, these detections could easily be retrofitted for Sentinel, elastic, Defender 365 Advanced Hunting queries or the SIEM platform of your choice.

In this blog we are going to look at good old EventID 4688, I'll write a couple follow ups to cover other EventIDs. Specifically we are looking to changes to scheduled tasks using schtasks.exe which as we all know I'm sure enables someone to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.

Here is the SPL (change out the index for where you keep your Windows event logs)


index=winlogs EventCode=4688 New_Process_Name=*\\schtasks.exe Process_Command_Line IN (*update*, *disable*)

| stats min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY New_Process_Name, Creator_Process_Name, Account_Name, ComputerName

| convert ctime(earliest) ctime(latest)

| table earliest latest Account_Name ComputerName Creator_Process_Name New_Process_Name Process_Command_Line


And here is what it looks like in Splunk:

"UpdateAssistant" is a Windows 10 tool that downloads and installs "feature" updates on your device, the first 3 disabled tasks on the above list all revolve around that functionality. The next two are clearly Windows Update related, the last two relate specifically to "Silent Install Helper", which installs updates in the background.

There'll be a part 2 and 3 of this, at least, soon enough, just need the time to setup and properly configure logging on another VM and run through the resulting data.

Popular posts from this blog

Fastening the Seatbelt on.. Threat Hunting for Seatbelt

-
Image
  Quick blog entry on detections for the Ghostpack discovery/reconnaissance tool Seatbelt . This entry will focus on looking at command line parameters that can be caught even if the executable itself is renamed, if I have time we can delve into other event log artefacts another time. From the Seatbelt github repo: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. So essentially what the tool does is retrieve local system information that might have security or safety implications. In terms of commands that can be tacked on to Seatbelt there are a literal ton of options. But what we are going to focus on here are the command groups, which break the many, many available commands down into categories, so we have: All, User, System, Slack, Chromium, Remote, Misc. The groups above are invoked like this, if you wanted to run all checks: Seatbelt.exe -group=all And so
read more »

Capturing Pcap driver installations

-
Image
Today we're looking at Network Sniffing , ATT&CK technique T1040. This is very much a signature based rule but if you are ingesting WinEventlog:Security (and of course you are, right?) and specifically EventCode 4697 ("A service was installed in the system") then you can take the barebones splunk SPL from below and make it work for you. So how are we going to detect network sniffing on Windows endpoints? The installation of the drivers for the various Pcap variants. index=win10 sourcetype="wineventlog:security" EventCode=4697 AND Service_File_Name IN ("*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*") | table _time Account_Name Computer_Name Originating_Computer Service_Name Service_File_Name   The Service_File_Name list is derived from looking at the names of .sys files associated with the most popular packet capture o
read more »

Microsoft Defender, Find User Ignored Threats With Splunk

-
Image
  Today we're looking at "vanilla" Microsoft Defender and some SPL to find "severe" or "high" categories of detected threat severity that have subsequently been "ignored" by a user. EventID 1117 gives us our detection, categorization and severity of the threat found and EventID 5007 gives us a log of user changes made, including ignored threats. EventID 5007 logs changes enacted by users to how threats are handled with a field called "New_value", it will look something like this: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147742972 = 0x6 It is a registry value, the string of numbers at the end is the same ID assigned recorded in EventID 1117, the "0x6" at the end signifies that this is an ignored threat. A little bit of regex retrieves our 5007 newly created "ThreatID" field and we can then compare this to our 1117 ID value to see if they match. We achieve this without reco
read more »