Bypassing Security Controls

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

Adversaries may attempt to bypass security controls through multiple various techniques by exploiting vulnerabilities, evading security controls, high privilege accounts, and more. Once they bypass the security tools in place, they can move laterally within the network and gain unauthorized access to organization resources to perform malicious activities.

Some of the examples of bypassing security controls are downloading Mimikatz utility, changing internet security settings, changing computer date and time settings and more.

Impact:

It can impact the organizations in the following ways:

• Data breach
• Operational disruption
• Financial loss
• Regulatory fines

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004- Privilege Escalation, TA0005- Defense Evasion

Techniques: T1548- Abuse Elevation Control Mechanism

Sub Techniques: T1548.002- Bypass User Account Control

Criteria:

( Command line contains "-exec" AND Command line contains "bypass" )

The use of 'exec' and 'bypass' commands together suggests a potential attempt to execute commands or scripts with the intention of bypassing the security controls.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

PR.PS-01: Configuration management practices are established and applied

When this rule is triggered, you're notified when the security controls are bypassed.This enables you to establish and deploy stronger corrective measures and policies that strengthen the organization's cybersecurity posture.

Known false positives: This event may generate when administrators might legitimately try to execute administrative tasks such as installing softwares.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Network Segmentation: Implement network segmentation to identify and isolate critical systems and sensitive data.