Windows Downgrade Detections, Vanishing Updates (Part 2)

-

 

 

Time for part 2 of a few blogposts on threat actors disabling Windows updates. We covered why in the last post along with how, this time around we will be mostly focusing on detections.

 

We aren't just detecting disabled Windows updates though, we're detecting the steps required to actually delete and remove installed updates.


First we look at usage of the Windows native binary takeown, which enables an administrator to recover access to files that was previously denied.

 

In this case we are looking at takeown grabbing access of folders relating to Windows updates

Our Splunk search looks like this:

 

index=winlogs EventCode=4688  Process_Command_Line IN ("*\Windows 10 install\*", "*\Windows10Upgrade\*")  New_Process_Name="*\\takeown.exe"

| stats  min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY Creator_Process_Name Account_Name ComputerName 

| convert  ctime(earliest) ctime(latest) 

| table  earliest latest ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line

 

And the results, if something similar to Tarik Seyceri's Windows 10 update disable script has been run on a system, look like this:

 


To explain the command line we are seeing there, /F is specifying files or directories, /R performs the operation recursively, /A gives ownership to the Administrators group instead of the current user, /D suppresses the confirmation prompt that is displayed when the current user does not have the List Folder permission on a specified directory and finally Y is passed with that /D flag to confirm that you want ownership.

 



So the TA has taken access of these Windows update related folders, what next?

 
To understand the next detections we should understand what we are detecting, in this case usage of the Windows native binary cacls.exe, or icacls, the successor.

 

I'm going to be lazy here and quote Wikipedia, forgive me, it has been a long week.

 

"In Microsoft Windows, cacls and its replacement, icacls, native command-line utilities capable of displaying and modifying the security descriptors on folders and files. An access-control list is a list of permissions for securable object, such as a file or folder, that controls who can access it."


So with that in mind, let's look at two events.

 

So above we have cacls performing some kind of change on the Windows 10 install directory.


And above we have cacls performing the same changes on the Windows10Upgrade folder.

 

What changes is it making to both? /T changes access control for the directory specified and all subdirectories, /grant administrators is granting control to administrators and :F specified full control of all contents. This is the prerequisite to deleting the contents of both folders, essentially removing updates from Windows.

 

Here's how we can search for this behaviour in Splunk:

index=winlogs EventCode=4688 New_Process_Name="*\\cacls.exe" Process_Command_Line IN ("*\Windows 10 install\*", "*\Windows10Upgrade\*")

| stats min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY Creator_Process_Name Account_Name ComputerName

| convert ctime(earliest) ctime(latest)

| table earliest latest ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line

Here is what that looks like in Splunk.

 

The deletion itself does not spawn a subprocess as it is a built in function of cmd cli but we can still base detections on the above and look for changes relating to Windows system folders.


I think there'll be at least one more blog post on this topic as I am finding it really interesting, so keep your eyes peeled for that.


Popular posts from this blog

Fastening the Seatbelt on.. Threat Hunting for Seatbelt

-
Image
  Quick blog entry on detections for the Ghostpack discovery/reconnaissance tool Seatbelt . This entry will focus on looking at command line parameters that can be caught even if the executable itself is renamed, if I have time we can delve into other event log artefacts another time. From the Seatbelt github repo: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. So essentially what the tool does is retrieve local system information that might have security or safety implications. In terms of commands that can be tacked on to Seatbelt there are a literal ton of options. But what we are going to focus on here are the command groups, which break the many, many available commands down into categories, so we have: All, User, System, Slack, Chromium, Remote, Misc. The groups above are invoked like this, if you wanted to run all checks: Seatbelt.exe -group=all And so
read more »

Capturing Pcap driver installations

-
Image
Today we're looking at Network Sniffing , ATT&CK technique T1040. This is very much a signature based rule but if you are ingesting WinEventlog:Security (and of course you are, right?) and specifically EventCode 4697 ("A service was installed in the system") then you can take the barebones splunk SPL from below and make it work for you. So how are we going to detect network sniffing on Windows endpoints? The installation of the drivers for the various Pcap variants. index=win10 sourcetype="wineventlog:security" EventCode=4697 AND Service_File_Name IN ("*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*") | table _time Account_Name Computer_Name Originating_Computer Service_Name Service_File_Name   The Service_File_Name list is derived from looking at the names of .sys files associated with the most popular packet capture o
read more »

Microsoft Defender, Find User Ignored Threats With Splunk

-
Image
  Today we're looking at "vanilla" Microsoft Defender and some SPL to find "severe" or "high" categories of detected threat severity that have subsequently been "ignored" by a user. EventID 1117 gives us our detection, categorization and severity of the threat found and EventID 5007 gives us a log of user changes made, including ignored threats. EventID 5007 logs changes enacted by users to how threats are handled with a field called "New_value", it will look something like this: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147742972 = 0x6 It is a registry value, the string of numbers at the end is the same ID assigned recorded in EventID 1117, the "0x6" at the end signifies that this is an ignored threat. A little bit of regex retrieves our 5007 newly created "ThreatID" field and we can then compare this to our 1117 ID value to see if they match. We achieve this without reco
read more »