Sherlock - Smoke and Mirrors

Byte Doctor Reyes is investigating a stealthy post-breach attack where several expected security logs and Windows Defender alerts appear to be missing. He suspects the attacker employed defense evasion techniques to disable or manipulate security controls, significantly complicating detection efforts. Using the exported event logs, your objective is to uncover how the attacker compromised the system’s defenses to remain undetected.

We can check the Sysmon Event ID 1 (CreateProcess) for reg.exe commands related to LSA:

Here we can see the Windows Defender registry alteration leveraging Sysmon Event ID 13:

So we can look for Set-MpPreference cmdlet in PowerShell logs.

There’s multiple results but the one that matches the pattern is `Set-MpPreference -DisableIOAVProtection $true -DisableEmailScanning $true -DisableBlockAtFirstSeen $true

Inside the PowerShell-Operational log, by filtering on Event ID 4104, we can find the full script that patches the amsi.dll.

We can see that the AmsiScanBuffer is being patch ('a' variable).

Because I really love Sysmon, let’s see for a command that contains safeboot (the denomination for Safe Mode). This can be seen by leveraging the Sysmon Event ID 1 (ProcessCreate)

Inside the PowerShell-Operational log, we can filter on Event ID 4104 and see that the attacker ran this command: