-
Notifications
You must be signed in to change notification settings - Fork 326
/
CAR-2016-04-003.yaml
48 lines (47 loc) · 1.8 KB
/
CAR-2016-04-003.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
---
title: User Activity from Stopping Windows Defensive Services
submission_date: 2016/04/15
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- Situational Awareness
contributors:
- MITRE/NSA
id: CAR-2016-04-003
description: |
Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation.
Stopping services events are Windows Event Code 7036.
coverage:
- technique: T1562
tactics:
- TA0005
subtechniques:
- T1562.001
coverage: Low
implementations:
- description: Windows Event code 7036 from the System log identifies if a service has stopped or started. This analytic looks for "Windows Defender" or "Windows Firewall" that has stopped.
code: |
log_name == "System" AND
event_code == "7036"
param1 in ["Windows Defender", "Windows Firewall"] AND
param2 == "stopped"
type: pseudocode
- description: LogPoint version of the above pseudocode.
code: |
norm_id=WinServer channel="System" event_id=7036 param1 in ["Windows Defender", "Windows Firewall"] param2="stopped"
type: LogPoint
data_model: LogPoint native
unit_tests:
- configurations:
- Windows 7
description: From an administrative user powershell console, run the Stop-Service command.
commands:
- Stop-Service -displayname "Windows Firewall"
- Stop-Service -displayname "Windows Defender"
d3fend_mappings:
- iri: d3f:SystemDaemonMonitoring
id: D3-SDM
label: System Daemon Monitoring