Tracking the Defence Impairment Olympics
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A threat actor exploited vulnerabilities in Adobe ColdFusion to deploy steganographic webshells on a public-facing web server. After gaining initial access, the attacker carried out aggressive defense-impairment activity, including disabling Microsoft Defender, terminating security logging services, and modifying registry settings. The operation ultimately appeared focused on credential dumping with Mimikatz after weakening host protections.
Investigation
The investigation started when analysts detected reconnaissance commands such as whoami launching from the IIS worker process, w3wp.exe. Further analysis uncovered steganographic webshells hidden inside image files and a batch script named i.bat that automated the shutdown of security controls. Additional forensic review revealed timestomping and registry tampering used to support credential theft and reduce visibility.
Mitigation
Organizations should ensure that all software, especially internet-facing platforms such as Adobe ColdFusion, is fully patched against known vulnerabilities. Deploying resilient centralized logging that cannot be easily altered from the local host is also critical. In addition, hardening registry-based security settings and monitoring for unauthorized changes to security provider configurations can help disrupt defense-impairment activity.
Response
If this activity is detected, security teams should isolate the affected web server immediately to prevent further movement or data loss. All credentials that may have been exposed or cached during the intrusion should be revoked and rotated. A full forensic sweep should then be performed to identify and remove steganographic artifacts, as well as any unauthorized scheduled tasks or WMI event consumers.
Attack Flow
Detections
Suspicious WMI Event Consumer Creation (via cmdline)
View
Possible Accessibility Features via Registry Abuse (via cmdline)
View
Possible System Enumeration (via cmdline)
View
Suspicious AppCmd Activity (via cmdline)
View
Possible WDigest Registry Key Abuse (via cmdline)
View
Possible Database Credential Stealing (via cmdline)
View
Possible Account or Group Enumeration / Manipulation (via cmdline)
View
Suspicious Taskkill Execution (via cmdline)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Suspicious IIS Logging Disabling (via cmdline)
View
Possible Discovery by Quering System Registry (via cmdline)
View
Suspicious Microsoft IIS Server Behaviour (via cmdline)
View
Possible Execution by Use of Short Script Name (via cmdline)
View
Detect Disabling of Windows Defender Protections via PowerShell [Windows Powershell]
View
Exploit Detection for CVE-2023-29298 via ColdFusion Vulnerable Paths [Webserver]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has successfully gained local administrator access on a workstation. To facilitate the deployment of a credential harvester (like Mimikatz) without triggering an alert, the attacker decides to disable Windows Defender’s real-time scanning. They choose to use a one-liner PowerShell command to minimize their footprint, specifically targeting the
Set-MpPreferencecmdlet to disable real-time monitoring and script scanning. This action is intended to create a “blind spot” on the endpoint. -
Regression Test Script:
# Simulation Script: Triggering the 'selection_command' logic # NOTE: This script must be run as Administrator to succeed in changing Defender settings. # It is designed to trigger the detection rule via exact string match. Write-Host "[+] Starting Simulation: Disabling Windows Defender Protections..." -ForegroundColor Cyan # Triggering 'Set-MpPreference -DisableRealtimeMonitoring $true' Write-Host "[+] Executing: Set-MpPreference -DisableRealtimeMonitoring $true" Set-MpPreference -DisableRealtimeMonitoring $true # Triggering 'Set-MpPreference -DisableScriptScanning $true' Write-Host "[+] Executing: Set-MpPreference -DisableScriptScanning $true" Set-MpPreference -DisableScriptScanning $true # Triggering 'Set-MpPreference -SubmitSamplesConsent NeverSend' Write-Host "[+] Executing: Set-MpPreference -SubmitSamplesConsent NeverSend" Set-MpPreference -SubmitSamplesConsent NeverSend # Triggering 'selection_file' logic by creating and executing a dummy file Write-Host "[+] Executing: Creating and running DisableDefender.ps1" "Write-Host 'Simulated Evasion'" | Out-File -FilePath "$env:TEMPDisableDefender.ps1" & "$env:TEMPDisableDefender.ps1" Write-Host "[+] Simulation Commands Completed." -ForegroundColor Green -
Cleanup Commands:
# Cleanup Script: Re-enabling protections and removing artifacts Write-Host "[!] Starting Cleanup..." -ForegroundColor Yellow # Re-enable protections Set-MpPreference -DisableRealtimeMonitoring $false Set-MpPreference -DisableScriptScanning $false Set-MpPreference -SubmitSamplesConsent AutoLimit # Remove the dummy script if (Test-Path "$env:TEMPDisableDefender.ps1") { Remove-Item -Path "$env:TEMPDisableDefender.ps1" -Force Write-Host "[+] Dummy script removed." } Write-Host "[+] Cleanup Complete. System returned to baseline." -ForegroundColor Green