I stumbled over an article this morning that was posted by one of my IT Security peers over at LinkedIn. And it is a broader theme if you look into most attacks that are carried out right now, be it targeted or untargeted.
Attackers know that victims run antivirus and guess what they are doing, they are trying to circumvent those tools and stay undetected.
This article shows how easy it is to bypass Antivirus products with just a couple of very easy tweaks, sometimes not more than just changing a PowerShell function name. No fiddling with binaries, no serious patching, no encryption of code, just plain text substitution will evade many virus scanners, including Windows Defender.
If you accept this and think about the consequences, it becomes clear that limiting lateral movement after an infection is one of things you need to implement in order to slow down attackers, get them into your detection process hopefully by stumbling over the tripwires and limiting their range of motion to the smallest possible (and economically feasible) amount.
So let’s do this. Just add three more match and replace rules and “Winner, winner, chicken dinner!” The complete list of match and replace commands is listed below.