SOC Prime Bias: Critical

04 Jul 2026 07:08 UTC

Tracking the Defence Impairment Olympics

Author Photo
SOC Prime Team linkedin icon Follow
Tracking the Defence Impairment Olympics
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A threat actor exploited vulnerabilities in Adobe ColdFusion to deploy steganographic webshells on a public-facing web server. After gaining initial access, the attacker carried out aggressive defense-impairment activity, including disabling Microsoft Defender, terminating security logging services, and modifying registry settings. The operation ultimately appeared focused on credential dumping with Mimikatz after weakening host protections.

Investigation

The investigation started when analysts detected reconnaissance commands such as whoami launching from the IIS worker process, w3wp.exe. Further analysis uncovered steganographic webshells hidden inside image files and a batch script named i.bat that automated the shutdown of security controls. Additional forensic review revealed timestomping and registry tampering used to support credential theft and reduce visibility.

Mitigation

Organizations should ensure that all software, especially internet-facing platforms such as Adobe ColdFusion, is fully patched against known vulnerabilities. Deploying resilient centralized logging that cannot be easily altered from the local host is also critical. In addition, hardening registry-based security settings and monitoring for unauthorized changes to security provider configurations can help disrupt defense-impairment activity.

Response

If this activity is detected, security teams should isolate the affected web server immediately to prevent further movement or data loss. All credentials that may have been exposed or cached during the intrusion should be revoked and rotated. A full forensic sweep should then be performed to identify and remove steganographic artifacts, as well as any unauthorized scheduled tasks or WMI event consumers.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: An adversary has successfully gained local administrator access on a workstation. To facilitate the deployment of a credential harvester (like Mimikatz) without triggering an alert, the attacker decides to disable Windows Defender’s real-time scanning. They choose to use a one-liner PowerShell command to minimize their footprint, specifically targeting the Set-MpPreference cmdlet to disable real-time monitoring and script scanning. This action is intended to create a “blind spot” on the endpoint.

  • Regression Test Script:

    # Simulation Script: Triggering the 'selection_command' logic
    # NOTE: This script must be run as Administrator to succeed in changing Defender settings.
    # It is designed to trigger the detection rule via exact string match.
    
    Write-Host "[+] Starting Simulation: Disabling Windows Defender Protections..." -ForegroundColor Cyan
    
    # Triggering 'Set-MpPreference -DisableRealtimeMonitoring $true'
    Write-Host "[+] Executing: Set-MpPreference -DisableRealtimeMonitoring $true"
    Set-MpPreference -DisableRealtimeMonitoring $true
    
    # Triggering 'Set-MpPreference -DisableScriptScanning $true'
    Write-Host "[+] Executing: Set-MpPreference -DisableScriptScanning $true"
    Set-MpPreference -DisableScriptScanning $true
    
    # Triggering 'Set-MpPreference -SubmitSamplesConsent NeverSend'
    Write-Host "[+] Executing: Set-MpPreference -SubmitSamplesConsent NeverSend"
    Set-MpPreference -SubmitSamplesConsent NeverSend
    
    # Triggering 'selection_file' logic by creating and executing a dummy file
    Write-Host "[+] Executing: Creating and running DisableDefender.ps1"
    "Write-Host 'Simulated Evasion'" | Out-File -FilePath "$env:TEMPDisableDefender.ps1"
    & "$env:TEMPDisableDefender.ps1"
    
    Write-Host "[+] Simulation Commands Completed." -ForegroundColor Green
  • Cleanup Commands:

    # Cleanup Script: Re-enabling protections and removing artifacts
    Write-Host "[!] Starting Cleanup..." -ForegroundColor Yellow
    
    # Re-enable protections
    Set-MpPreference -DisableRealtimeMonitoring $false
    Set-MpPreference -DisableScriptScanning $false
    Set-MpPreference -SubmitSamplesConsent AutoLimit
    
    # Remove the dummy script
    if (Test-Path "$env:TEMPDisableDefender.ps1") {
        Remove-Item -Path "$env:TEMPDisableDefender.ps1" -Force
        Write-Host "[+] Dummy script removed."
    }
    
    Write-Host "[+] Cleanup Complete. System returned to baseline." -ForegroundColor Green