Windows 10 Core Isolation deactivation via registry

You can deactivate the Windows 10 Core Isolation function by changing the following Registry Key and therefore do "Tampering with Windows 10 Device Protection Security - Switching off Core Isolation or HypervisorEnforcedCodeIntegrity"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity

Set "Enabled" to

• 0 = deactivated (off)
  
• 1 = activated (on)
  

Microsoft about Windows 10 Core Isolation or HypervisorEnforcedCodeIntegrity: "Core isolation provides added protection against malware and other attacks by isolating computer processes from your operating system and device. Select 'Core isolation details' to enable, disable, and change the settings for core isolation features."

https://support.microsoft.com/en-us/help/4096339/windows-10-device-protection-in-windows-defender-security-center

Mitre ATT&CK tactic: Persistence, Defense Evasion

Mitre ATT&CK sub-technique of T1060 or T1019

Required Permissions: HKEY_LOCAL_MACHINE keys require administrator access to create and modify

OS Credential Dumping - Att&ck T1003

Some places to start to monitor (e.g. for unexpected processes interacting with one of the following), collector forensics and try to protect for OS Credential Dumping Mitre Att&ck T1003 are:

Place ----- ATT&CK Subtechnique ID

LSASS Memory -----T1003.001

Security Account Manager ----- T1003.002

NTDS ----- T1003.003

LSA Secrets ----- T1003.004

Cached Domain Credentials ----- T1003.005

DCSync ----- T1003.006

Proc Filesystem ----- T1003.007

/etc/passwd ----- T1003.008

/etc/shadow ----- T1003.008

Each attack technique is described with examples, as well as possible mitigations and detections.

SIEM IoC regsvr32.exe outbound network connection

An easy to find possible indicator of compromise (IoC) for your SIEM, AEP or EDR could be a outbound network connection from Windows own register server regsvr32.exe (Microsoft Docs or Wiki). Normally the register server never establishes an outbound network connection to the internet. It is a commonly used evasion technique to avoid detection and has its own MITRE Att&ck technique with ID T1117 (or new sub-techniques T1218/010 and can be mapped to the MITRE Att&ck tactics Execution TA0002 and Defense Evasion TA0005.

A starting point can be searching your SIEM logs for network connections from regsvr32.exe to a not RFC1918 private ip address and your IPv6 address space.

Mitigations could be using the Windows firewall to block outbound network connections from regsvr32.exe or as MITRE Att&ck writes:

"Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. Identify and block potentially malicious software executed through regsvr32 functionality by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate."

More useful searches for Splunk & Sysmon environments can be found on Github, example: https://github.com/mitre-attack/car/issues/11 and testing if your AEP/EDR/Sysmon or log-collection-tool actually logs regsvr32 events is described here: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md
 

Sysmon 11 released

Many SIEM installations use sysinternals sysmon as one of many data sources. Mark Russinovich (Microsoft Azure CTO, co-creator of sysinternals) released a video explaining some of the new features of Sysmon 11, which was released on 28th April.

A new useful feature is archiving a file, just before it is deleted. Some attackers delete their tools after gathering information. In order to understand their tools or even search for MD5 or imphashes, the sysmon 11 archiving function can be helpful.


(Source: https://www.youtube.com/watch?v=_MUP4tgdM7s)