Microsoft Defender capabilities disabled
One of REvil's initial endpoint actions is to disable several Microsoft Defender for Endpoint capabilities, such as accurate time monitoring, IPS, cloud lookup, script scanning, controlled folder access, network protection, and stop cloud sample submissions. When the ransomware runs, it issues a PowerShell command to turn these all off, so if you are monitoring PowerShell scripting, you can see all of these protections being disabled concurrently. If you are not running PowerShell logging, you can still use Microsoft Sysmon or Windows Security logs to detect these commands.
Required data
Procedure
Option 1 - Search using PowerShell logging
- Add a configuration in your inputs.conf file to monitor WinEventLog://Microsoft-Windows-Powe...ll/Operational on the client where your Splunk Universal Forwarder is installed.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="WinEventLog:Microsoft-Windows-PowerShell/Operational" | search Message="*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend*" | table _time, host, Message
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
source="WinEventLog:Microsoft-Windows-PowerShell/Operational" | Search only Windows PowerShell operational data. |
| search Message="*Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend*" |
Search for any of the defined Windows Defender capabilities being turned off in the same command line. Searching for specific capabilities has the benefit of creating an exact match. Be aware, however, that searching for these capabilities within this search potentially risks missing variants that reorder the capabilities in the command itself. If you don't want to search for specific capabilities, you can use replace this line with a wildcard search: |
| table _time, host, Message | Display the results in a table with columns in the order shown. |
Result
If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
Option 2 - Search using Sysmon
Enter the following search command into the search bar. Depending on your configuration, the source and sourcetype might vary slightly. This same logic can be applied to your EDR platform of choice.
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 cmdline="*powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend*" | table _time, host
Search explanation
Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" |
Search only Sysmon operational data. |
EventCode=1 |
Search for a process creation event. |
CommandLine=*powershell.exe |
Search for a powershell.exe process. |
Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend*" |
Search for any of the defined Windows Defender capabilities being turned off in the same command line. Searching for specific capabilities has the benefit of creating an exact match. Be aware, however, that searching for these capabilities within this search potentially risks missing variants that reorder the capabilities in the command itself. If you don't want to search for specific capabilities, you can use replace this line with a wildcard search: |
| table _time, host |
Display the results in a table with columns in the order shown. |
Result
If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.