MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules


Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Disable UAC Prompt

MedusaLocker Image

This TTP is used to disable UAC prompt in the victim system and has been extracted from MedusaLocker Ransomware. It modifies registry keys to disable UAC prompt. It requires Admin privileges to disable the UAC on the system. Once the testcase has successfully been executed, every process can be opened as admin without the admin prompt shown on the screen.

The test case doesn’t necessarily disable UAC. But only disables the prompt, which means that the malware can open any process as admin without any consent from user and can easily elevate privileges.

Detection Indicators

The detection indicators in the UAC disable TTP of MedusaLocker Ransomware are:

Log Sources

I have configured multiple log sources in my detection lab. I am using Azure Sentinel as my SIEM solution. The following logs are injested into SIEM:

Detection Engineering with Defender XDR

The following query is looking for registry events and filtering the data based on registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”, which is used to disable UAC in medusa locker ransomware. This key could be used to enable or bypass UAC on the system. If the value of ConsentPromptBehaviorAdmin entity is set to 0 then every process could be started as admin without prompt.

DeviceRegistryEvents
| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| project TimeGenerated, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, InitiatingProcessFileName
| where RegistryValueName contains "ConsentPromptBehaviorAdmin" and RegistryValueData contains "0"

detection rule1

Detection Engineering with Sysmon

The logic of query is similar in Sysmon logs. The EventIDs related to registry changes are 12, 13, 14. I am looking for registry related events that have the object containing “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System”. In sysmon logs, the configuration that i am using also provides MITRE mapping and could be seen in the results.

WindowsEvent //(sysmon)
| where EventID in (12, 13, 14)
| where EventData contains "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
| project TimeGenerated, Computer, EventID, EventType = EventData.EventType, Image = EventData.Image, RuleName = EventData.RuleName, TargetObject = EventData.TargetObject
| where TargetObject contains "ConsentPromptBehaviorAdmin" 

detection rule2

Detection Engineering with SIGMA Rule

The following rule detects when an attacker tries to disable User Account Control Prompt (UAC) by setting the registry value “ConsentPromptBehaviorAdmin” to 0.

title: UAC Prompt Disabled
id: 5fdcb72d-3649-4474-845f-b0d3b161a91c
related:
    - id: c5f6a85d-b647-40f7-bbad-c10b66bab038
      type: similar
    - id: 0d7ceeef-3539-4392-8953-3dc664912714
      type: similar
    - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
      type: similar
status: stable
description: |
    Detects when an attacker tries to disable User Account Control Prompt (UAC) by setting the registry value "ConsentPromptBehaviorAdmin" to 0.
references:
    - https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0#:~:text=ConsentPromptBehaviorAdmin
author: Shayan Ahmed Khan (shaddy43)
date: 2024/08/07
modified: 2024/08/07
tags:
    - attack.privilege_escalation
    - attack.defense_evasion
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin' #EventData.TargetObject
        Details: 'DWORD (0x00000000)' #EventData.Details
    condition: selection
falsepositives:
    - Unknown
level: medium