MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Disable UAC

MedusaLocker Image

This TTP is used to disable UAC in the victim system and has been extracted from MedusaLocker Ransomware. It modifies registry keys to disable UAC. It requires Admin privileges and Restart to completely disable the UAC on the system. Once the testcase has successfully been executed, every process will open as admin by default.

Detection Indicators

The detection indicators in the UAC bypass TTP of MedusaLocker Ransomware are:

Registry Key: “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”
Registry Value Name: “EnableLUA”
Registry Value Data: 0

Log Sources

I have configured multiple log sources in my detection lab. I am using Azure Sentinel as my SIEM solution. The following logs are injested into SIEM:

Microsoft Defender XDR logs
Windows Security Audit logs
Sysmon Logs with sysmon-moduler configuration

Detection Engineering with Defender XDR

The following query is looking for registry events and filtering the data based on registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”, which is used to bypass UAC in medusa locker ransomware. This key could be used to enable or disable UAC on the system. If the value of EnableLUA entity is set to 0 then after restart every process will start as admin by default.

DeviceRegistryEvents
| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| project TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, InitiatingProcessFileName
| where RegistryValueName contains "EnableLUA" and RegistryValueData contains "0"

detection rule1

Detection Engineering with Sysmon

The logic of query is similar in Sysmon logs. The EventIDs related to registry changes are 12, 13, 14. I am looking for registry related events that have the object containing “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”. In sysmon logs, the configuration that i am using also provides MITRE mapping and could be seen in the results.

WindowsEvent //(sysmon)
| where EventID in (12, 13, 14)
| where EventData contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| project TimeGenerated, Computer, EventID, EventType = EventData.EventType, Image = EventData.Image, RuleName = EventData.RuleName, TargetObject = EventData.TargetObject
| where TargetObject contains "EnableLUA"

detection rule2

Detection Engineering with SIGMA

I found the following SIGMA rule in SIGMA HQ github repository that detects this specific TTP

title: UAC Disabled
id: 48437c39-9e5f-47fb-af95-3d663c3f2919
related:
    - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
      type: similar
    - id: 0d7ceeef-3539-4392-8953-3dc664912714
      type: similar
status: stable
description: |
    Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2022/01/05
modified: 2024/05/10
tags:
    - attack.privilege_escalation
    - attack.defense_evasion
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA' #EventData.TargetObject
        Details: 'DWORD (0x00000000)' #EventData.Details
    condition: selection
falsepositives:
    - Unknown
level: medium