Detect Exploitation for Defense Evasion in Sumo Logic CSE
Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. There have also been examples of vulnerabilities in public cloud infrastructure and SaaS applications that may bypass defense boundaries, evade security logs, or deploy hidden infrastructure.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1211 Exploitation for Defense Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1211/
Sumo Detection Query
// Signal 1: Security software spawning suspicious child process
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| where EventID = "1"
| parse field=ParentImage "*" as parent_image_raw
| parse field=Image "*" as child_image_raw
| eval parent_lower = toLowerCase(parent_image_raw)
| eval child_lower = toLowerCase(child_image_raw)
| where (parent_lower matches "*msmpeng*"
OR parent_lower matches "*mssense*"
OR parent_lower matches "*sensecncproxy*"
OR parent_lower matches "*csagent*"
OR parent_lower matches "*csfalconservice*"
OR parent_lower matches "*sentinelagent*"
OR parent_lower matches "*cylancesvc*"
OR parent_lower matches "*cbdefense*"
OR parent_lower matches "*mbam*"
OR parent_lower matches "*sophosssp*"
OR parent_lower matches "*savservice*"
OR parent_lower matches "*avp.exe*"
OR parent_lower matches "*avgnt*"
OR parent_lower matches "*avastsvc*")
| where (child_lower matches "*\cmd.exe"
OR child_lower matches "*\powershell.exe"
OR child_lower matches "*\pwsh.exe"
OR child_lower matches "*\wscript.exe"
OR child_lower matches "*\cscript.exe"
OR child_lower matches "*\mshta.exe"
OR child_lower matches "*\rundll32.exe"
OR child_lower matches "*\regsvr32.exe"
OR child_lower matches "*\certutil.exe"
OR child_lower matches "*\bitsadmin.exe"
OR child_lower matches "*\msiexec.exe"
OR child_lower matches "*\wmic.exe"
OR child_lower matches "*\sc.exe")
| withtime _messageTime
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| eval detection_signal = "SecuritySoftwareSpawnedSuspiciousChild"
// Signal 2: Non-system process accessing security process with elevated access (Sysmon EID 10)
// Run as second query in union panel:
// (_sourceCategory=*windows*sysmon*) EventID=10
// | eval target_lower = toLowerCase(TargetImage)
// | eval source_lower = toLowerCase(SourceImage)
// | where (target_lower matches "*msmpeng*" OR target_lower matches "*sentinelagent*" OR target_lower matches "*csagent*" OR target_lower matches "*cylancesvc*" OR target_lower matches "*avastsvc*")
// | where NOT (source_lower matches "*svchost*" OR source_lower matches "*lsass*" OR source_lower matches "*csrss*" OR source_lower matches "*werfault*")
// | where GrantedAccess in ("0x1F0FFF","0x1F1FFF","0x1fffff","0x143A","0x1410")
// | eval detection_signal = "SuspiciousAccessToSecurityProcess"
// | fields _messageTime, Computer, SourceImage, SourceCommandLine, TargetImage, GrantedAccess, detection_signal
// Signal 3: Security service stopped or modified (System log)
// (_sourceCategory=*windows*system* OR _sourceCategory=*wineventlog*system*)
// | where EventID in ("7034","7036","7045")
// | eval svc_lower = toLowerCase(ServiceName)
// | where (svc_lower matches "*sense*" OR svc_lower matches "*windefend*" OR svc_lower matches "*falcon*" OR svc_lower matches "*sentinelagent*" OR svc_lower matches "*cylance*" OR svc_lower matches "*cbdefense*" OR svc_lower matches "*avast*")
// | eval detection_signal = "SecurityServiceModifiedOrStopped"
// | fields _messageTime, Computer, ServiceName, EventID, Message, detection_signal
| count by detection_signal, Computer, User
| sort by _count descSumo Logic CSE query detecting T1211 exploitation for defense evasion. Signal 1 (primary) identifies security AV/EDR processes spawning LOLBin or interpreter child processes via Sysmon EID 1. Signals 2 and 3 (included as commented union blocks) detect suspicious OpenProcess access against security tools (EID 10) and unexpected security service state changes (System EIDs 7034/7036/7045). Run all three as a union dashboard for full coverage.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate vendor update packages may cause AV processes to spawn msiexec.exe or cmd.exe transiently
- Security orchestration tools (SOAR) may programmatically access security agent processes to gather telemetry
- Antivirus scheduled scan completion events may cause transient service stop/start cycles matching EID 7036
Other platforms for T1211
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Security Process Spawning Command Shell
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe (or the process running the test). Security Event ID 4688 if command line auditing is enabled. The detection signal 'SecuritySoftwareSpawnedSuspiciousChild' may not fire unless the initiating process name matches the security process list — use this test to validate the detection logic by temporarily adding 'powershell.exe' to the SecurityProcesses list in a test environment.
- Test 2Open Handle to Windows Defender Process (ProcessAccess Simulation)
Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=C:\ProgramData\Microsoft\Windows Defender\Platform\<version>\MsMpEng.exe, GrantedAccess=0x0400. Note: Windows Defender is Protected Process Light (PPL) — the OpenProcess call may be denied, but Sysmon still logs the attempt with CallTrace data showing the call stack.
- Test 3Security Service State Query and Stop Simulation (Non-Destructive)
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'sc query WinDefend' and 'sc query Sense'. Security Event ID 4688 (if enabled). Sysmon Event ID 1 for wmic.exe with CommandLine containing 'service where name'. These are the same reconnaissance commands used by threat actors (including APT28 tooling) to identify security software before exploitation.
- Test 4Exploit Artifact Simulation — Security Service Crash via WerFault
Expected signal: Sysmon Event ID 1: Process Create for werfault.exe with command line containing '-p 0'. Application Event Log queries via wevtutil generate additional Sysmon Event ID 1 entries for wevtutil.exe. The WerFault invocation with PID 0 will fail but the process creation telemetry is generated and matches patterns seen when security software is exploited and crashes.
References (9)
- https://attack.mitre.org/techniques/T1211/
- https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/
- https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/
- https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1211/T1211.md
- https://www.bitdefender.com/blog/labs/apt28-targets-ongoing-conflict-ukraine/
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
Unlock Pro Content
Get the full detection package for T1211 including response playbook, investigation guide, and atomic red team tests.