Microsoft Defender Alert Details
Alert ID: MD-DISABLE-TOOLS-1562-7842 Alert Time: 2024-03-07 10:30:22 EST Severity: CRITICAL (96/100) Source: Microsoft Defender for Endpoint Rule: “Tampering with Security Tools Detected” MITRE ATT&CK: T1562.001 – Impair Defenses: Disable or Modify Tools
Alert Details:
Detection: Attempt to disable multiple security tools on domain controller
Host: DC-01 (Primary Domain Controller) User: SYSTEM (via compromised admin account) Time: 10:15-10:30 EST
Commands Executed (from process creation):
Disable Windows Defender:
10:15:22 – powershell Set-MpPreference -DisableRealtimeMonitoring $true
10:15:45 – powershell Set-MpPreference -DisableBehaviorMonitoring $true
10:16:12 – powershell Set-MpPreference -DisableBlockAtFirstSeen $true
10:16:38 – powershell Set-MpPreference -DisableIOAVProtection $true
10:17:05 – powershell Add-MpPreference -ExclusionPath C:\Windows\Temp
10:17:33 – powershell Add-MpPreference -ExclusionProcess cmd.exe
Disable Windows Firewall:
10:18:01 – netsh advfirewall set allprofiles state off
Stop Security Services:
10:18:28 – sc stop WinDefend
10:18:55 – sc stop Sense (Microsoft Defender ATP)
10:19:22 – sc stop WdNisSvc (Network Inspection)
10:19:48 – sc stop MpsSvc (Firewall)
Disable Event Logging:
10:20:15 – wevtutil set-log Security /enabled:false
10:20:42 – wevtutil set-log System /enabled:false
10:21:08 – wevtutil set-log Application /enabled:false
Disable Audit Policies:
10:21:35 – auditpol /set /category:* /success:disable /failure:disable
Process Details:
Process: psexec.exe from compromised admin workstation
Source IP: 185.143.221[.]89
Account: jwilson (domain admin, compromised)
Detection Logic:
Multiple commands to disable security tools
Defender settings modified (real-time monitoring off, exclusions added)
Firewall disabled
Security services stopped
Event logging and audit policies disabled
Pattern matches attacker disabling defenses before ransomware
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alerts
Microsoft 365 Defender
Confirmed defense disablement on DC
2. Immediate Action
Isolate DC-01
CrowdStrike, Network ACLs
DC-01 quarantined
3. Re-enable Defenses
Re-enable all security tools
PowerShell, Group Policy
Defender, Firewall, logging re-enabled
4. Account Remediation
Disable compromised admin account
Azure AD, AD
jwilson account disabled; password reset
5. Network Block
Block attacker IP
Palo Alto
185.143.221[.]89 blocked
6. Incident Response
Activate emergency response
Management, Legal
Potential ransomware prep
Jira Incident Report
Ticket: SOC-2024-185 Summary: T1562.001 – Attacker Disables Security Tools on Domain Controller Status: RESOLVED Resolution: MALICIOUS – Defenses Restored Priority: P1 – CRITICAL Labels: T1562, disable-tools, defender-tampering, domain-controller, compromised-admin Components: Endpoint-Security, Identity-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Tampering with Security Tools Detected”.
Host: DC-01 (Primary Domain Controller).
Actions: Defender, Firewall, logging, audit policies disabled.
Time: 2024-03-07 10:30 EST.
Technique: MITRE ATT&CK T1562.001 – Impair Defenses: Disable or Modify Tools.
2. Technical Analysis:
Attack Chain:
09:30 – jwilson (domain admin) account compromised via phishing
09:45 – Attacker logs into admin workstation via RDP
10:00 – Attacker uses psexec to push script to DC-01
10:15-10:30 – Defense disablement commands executed
10:30 – Defender detects tampering
Defenses Disabled:
Windows Defender: Real-time monitoring off, behavior monitoring off, exclusions added (Temp, cmd.exe)
Windows Firewall: Completely disabled
Security Services: WinDefend, Sense (ATP), WdNisSvc, MpsSvc stopped
Event Logging: Security, System, Application logs disabled
Audit Policies: All success/failure auditing disabled
Attacker Intent:
Prepare for ransomware deployment
Prevent detection during encryption
Disable logging to cover tracks
Disable firewall to allow C2 communication
Compromised Admin:
jwilson (Domain Admin)
No MFA (now enforced)
3. Investigation Findings:
Timeline:
09:30 – Admin account compromised
09:45 – Attacker logs in
10:00 – Access to DC
10:15-10:30 – Defense disablement
10:30 – Alert
10:32 – SOC investigates
10:33 – DC isolated
10:34 – Defenses re-enabled
10:35 – Admin account disabled
Indicators of Compromise (IoCs):
Commands:
– Set-MpPreference -DisableRealtimeMonitoring $true
– Set-MpPreference -DisableBehaviorMonitoring $true
– Add-MpPreference -ExclusionPath C:\Windows\Temp
– netsh advfirewall set allprofiles state off
– sc stop WinDefend
– sc stop Sense
– wevtutil set-log Security /enabled:false
– auditpol /set /category:* /success:disable /failure:disable
Account:
– jwilson (compromised)
Network:
– Attacker IP: 185.143.221[.]89
4. Containment Actions:
Immediate Actions:
Isolated DC-01.
Re-enabled all Defender settings.
Restarted security services.
Re-enabled Windows Firewall.
Re-enabled event logs.
Re-enabled audit policies.
Disabled jwilson account.
Reset password.
Blocked attacker IP.
Domain-Wide Actions:
Verified no other DCs affected.
Checked for ransomware (none found).
Rotated krbtgt password (precaution).
Host Remediation:
Full scan (clean).
Verified no persistence.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin account.
Admin had access to DC.
6. Business Impact:
Operational Impact: DC offline for 10 minutes (isolation and restoration).
Security Impact: Defenses down for 15 minutes; no ransomware executed.
7. Remediation & Prevention:
Completed Actions:
Defenses restored.
Admin account secured.
Attacker blocked.
Technical Controls Enhanced:
Enforced MFA for all admins.
Moved admin access behind VPN only.
Implemented Privileged Access Workstations.
Created alert for defense disablement attempts.
Enabled tamper protection in Defender.
8. Conclusion:
An attacker compromised a domain admin account and systematically disabled security defenses on the domain controller, preparing for ransomware deployment. Defender detected the tampering and enabled rapid restoration before any encryption could occur.
Closure Rationale: Defenses restored; admin account secured; ransomware prevented.
Analyst: [Your Name], SOC Analyst Date: 2024-03-07 11:30 EST
End of Batch 29
Ready for your next batch of prompts whenever you are.
Batch 30: Defense Evasion & Obfuscation Incident Reports
Here are the next 5 detailed SOC incident reports.