- Home
- Correlation Rule Library
- Bypassing Security Controls
Bypassing Security Controls
Rule added on 30th April, 2024In this page
Rule type:
Correlation
Rule description:
Adversaries may attempt to bypass security controls through multiple various techniques by exploiting vulnerabilities, evading security controls, high privilege accounts, and more. Once they bypass the security tools in place, they can move laterally within the network and gain unauthorized access to organization resources to perform malicious activities.
Some of the examples of bypassing security controls are downloading Mimikatz utility, changing internet security settings, changing computer date and time settings and more.
Impact:
It can impact the organizations in the following ways:
- Data breach
- Operational disruption
- Financial loss
- Regulatory fines
Data source:
Windows:
Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactics: TA0004- Privilege Escalation, TA0005- Defense Evasion
Techniques: T1548- Abuse Elevation Control Mechanism
Sub Techniques: T1548.002- Bypass User Account Control
Criteria:
( Command line contains "-exec" AND Command line contains "bypass" )
The use of 'exec' and 'bypass' commands together suggests a potential attempt to execute commands or scripts with the intention of bypassing the security controls.
When to enable this rule:
Enabling this rule will help you meet the security standards' requirements listed below:
Security standards (NIST CSF 2.0):
PR.PS-01: Configuration management practices are established and applied
When this rule is triggered, you're notified when the security controls are bypassed.This enables you to establish and deploy stronger corrective measures and policies that strengthen the organization's cybersecurity posture.
Known false positives: This event may generate when administrators might legitimately try to execute administrative tasks such as installing softwares.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify the alert as a new incident or within an ongoing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Network Segmentation: Implement network segmentation to identify and isolate critical systems and sensitive data.
