Skip to main content

 

Splunk Lantern

Detecting the disabling of security tools

 

To avoid detection and ensure barrier-free operation during attacks, attackers can use tactics such as modifying the configuration of security tools or disabling them to prevent them from running. These searches look for activity consistent with attackers attempting to disable different security mechanisms.

​Required data

Endpoint data that records process activity from your hosts, and logs with both the process name and command line from your endpoints. Use this data to populate the Processes node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.

How to use Splunk software for this use case

► Sc.exe manipulating Windows services

This search looks for arguments made to sc.exe, indicating the creation or modification of a Windows service.

Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior that you should validate and investigate as necessary.

| tstats summariesonly=false allow_old_summaries=true values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=sc.exe ("Processes.process"="* create *" OR "Processes.process"="* config *")) BY "Processes.process_name", "Processes.parent_process_name", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Unload Sysmon filter driver

This search looks for process fltMC.exe used to unload a Sysmon driver that will stop Sysmon from collecting data.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, values("Processes.process") AS process, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=fltMC.exe "Processes.process"=*unload* "Processes.process"=*SysmonDrv*) BY "Processes.process_name", "Processes.process_id", "Processes.parent_process_name", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
| table firstTime, lastTime, dest, user, count, process_name, process_id, parent_process_name, process
 
►Attempt to add certificate to untrusted store

This search looks for attempts to add a certificate to the untrusted certificate store.

False positives from this search might occur since there may be legitimate reasons for administrators to add a certificate to the untrusted certificate store, typically done on a large number of systems.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, values("Processes.process") AS process, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=certutil.exe OR "Processes.original_file_name"=CertUtil.exe) "Processes.process"=*-addstore*) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
 
► Processes launching netsh

The search looks for processes spawned by netsh.exe which execute commands via the command line. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.

False positives from this search might occur since some VPN applications can launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.

| tstats summariesonly=false allow_old_summaries=true count, values("Processes.process") AS "Processes.process", min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"=netsh.exe OR "Processes.original_file_name"=netsh.exe) BY "Processes.parent_process_name", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.user", "Processes.dest" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
 
 
Next steps

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, these Splunk resources might help you understand and implement this use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.