Carbon Black’s coverage of the 67 Techniques utilized for Defense Evasion from MITRE ATT&CK consists of 472 queries. Below are a few key examples of some defense evasion queries for techniques that we are seeing increasingly leveraged during post exploitation—hat tip to Tony for the Shlayer obfuscation query. These queries are specific to Carbon Black, but they can be readily modified for other tools as well.
PowerShell Downgrade Attacks:
modload:windows\assembly\nativeimages_v*_32\*\*\system.management.automation.ni.dll parent_name:powershell.exe netconn_count:[1 TO *] -cmdline:windows\ccmcache
Disabling Windows Defender:
process_name:powershell.exe AND (cmdline:"Set-MpPreference -DisableRealtimeMonitoring $true")
Process_name:bash childproc_name:openssl childproc_name:xxd childproc_name:base64
Script Processor Renaming:
Replace wscript.exe w/ powershell.exe, cmd.exe, cscript.exe, mshta.exe, etc.