Tag: antiforensics

#100DaysofYARA 2024 – Day 75 – Rebooting to Safe Mode

Rebooting to Safe Mode is a common TTP to disable anti-virus and EDR products, especially in situations where stealth is not mandatory such as ransomware deployment. This rule detects the use of bcdedit to modify boot parameters.

rule TTP_bcdedit_safeboot_cmd {
	meta:
		description = "Matches bcdedit command used to configure reboot to safemode - can be used to bypass security tools."
		last_modified = "2024-03-15"
		author = "@petermstewart"
		DaysofYara = "75/100"

	strings:
		$a = "bcdedit /set {default} safeboot" ascii wide nocase
		$b = "bcdedit.exe /set {default} safeboot" ascii wide nocase

	condition:
		uint16(0) == 0x5a4d and
		any of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 74 – Clearing Windows Event Logs

Clearing Event Logs is another common anti-forensics TTP; this rule attempts to detect Event Log deletion using wevtutil executable or the Clear-EventLog PowerShell command.

rule TTP_clear_event_logs {
	meta:
		description = "Matches references to 'wevtutil' or 'Clear-Eventlog' - used to clear Windows Event Logs."
		last_modified = "2024-03-14"
		author = "@petermstewart"
		DaysofYara = "74/100"

	strings:
		$a = "wevtutil cl" ascii wide nocase
		$b = "wevtutil.exe cl" ascii wide nocase
		$c = "wevtutil clear log" ascii wide nocase
		$d = "wevtutil.exe clear log" ascii wide nocase
		$e = "Clear-EventLog" ascii wide nocase //PowerShell

	condition:
		uint16(0) == 0x5a4d and
		any of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.

#100DaysofYARA 2024 – Day 73 – Deleting Volume Shadow Copies

Today’s rule detects attempts to inhibit system recovery by deleting Volume Shadow Copies, which is often a precursor to ransomware deployment.

rule TTP_delete_volume_shadow {
	meta:
		description = "Matches references to 'vssadmin delete' commands - used to remove Volume Shadow Copies."
		last_modified = "2024-03-13"
		author = "@petermstewart"
		DaysofYara = "73/100"

	strings:
		$a = "vssadmin delete" ascii wide nocase
		$b = "vssadmin.exe delete" ascii wide nocase

	condition:
		uint16(0) == 0x5a4d and
		any of them
}

Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.