Anti-Forensics & Evidence Tampering
Detects techniques used to cover tracks, tamper with evidence, and evade detection
14 rules in anti_forensics.yml
CRITICAL: 7 | HIGH: 6 | MEDIUM: 1
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
apparmor_ | CRITICAL | AppArmor Profile Disabled | Disables AppArmor profiles, removing mandatory access control protections | |
audit_ | CRITICAL | Audit Daemon Disabled | Stops or disables the audit daemon (auditd), preventing security event logging | |
rsyslog_ | CRITICAL | Playbook Writes Log-Silencing Rules To /etc/rsyslog.d/ Or /etc/audit/rules.d/ (Keeps Service Running, Drops Events) | An ansible.builtin.copy, template, lineinfile, or blockinfile task writes a file under /etc/rsyslog.d/*.conf, /etc/rsyslog.conf, /etc/audit/rules.d/*.rules, or /etc/audit/auditd.conf whose content silently drops or discards events - while the logging service itself remains running. Specific fingerprints: (1) rsyslog discard / ~ action rules (:msg, contains, "sshd" ~, :programname, isequal, "sudo" stop, *.* ~, & stop, & ~), (2) auditd -a never,exit -F arch=... / -a never,user catch-all exclusion rules, (3) auditctl -a never,exit ... lines rendered into rule files, (4) redirecting all rsyslog output to /dev/null via an omfile template. Unlike the rsyslog_or_journald_stopped_masked rule (which catches service stop/mask), this catches the quieter post-intrusion persistence technique where a playbook leaves a legitimate-looking conf file that continues to drop specific events across every reboot. This is MITRE T1562.006 (Impair Defenses: Indicator Blocking) and the exact primitive used by the 2024 Linux ransomware ‘Sedexp’ to hide auditd events for ls, find, and sudo while keeping systemctl status auditd green. | |
selinux_ | CRITICAL | SELinux Disabled or Set Permissive | Disables or weakens SELinux enforcement, removing a critical security boundary | |
timestomping | CRITICAL | File Timestamp Manipulation (Timestomping) | Modifies file timestamps to hide when a file was created or changed, evading forensic timeline analysis | |
utmp_ | CRITICAL | Login Record Tampering | Directly modifies utmp/wtmp/btmp files to hide login sessions from forensic analysis | |
windows_ | CRITICAL | Windows Volume Shadow Copy deletion (vssadmin/wmic/wbadmin/PowerShell) - ransomware precursor | A task deletes Windows Volume Shadow Copies using vssadmin delete shadows /all /quiet, wmic shadowcopy delete, wbadmin delete catalog -quiet, wbadmin delete systemstatebackup, bcdedit /set {default} recoveryenabled No, or PowerShell Get-WmiObject Win32_ShadowCopy | Remove-WmiObject. This is the single most consistent TTP across LockBit, Black Basta, Akira, Royal, Play, BianLian, and nearly every other 2023-2025 big-game ransomware family - T1490 (Inhibit System Recovery). Detecting this in Ansible indicates either an offensive payload being deployed via ansible or a legitimate script that ransomware would mimic (either is a critical finding). | |
azure_ | HIGH | Azure Key Vault Without Soft-Delete or Purge Protection | An azure.azcollection.azure_rm_keyvault task sets enable_soft_delete: false, enable_purge_protection: false, soft_delete_retention_in_days: < 7, or omits both flags entirely on a new vault. Without soft-delete, a compromised identity or an accidental az keyvault delete permanently destroys secrets, certificates, and keys - including KMS keys that encrypt storage accounts, SQL TDE keys, and disk encryption sets - causing catastrophic data-loss that is unrecoverable. Ransomware and insider-threat playbooks explicitly target Key Vault for this reason. Azure made both flags required by policy for new vaults in Feb 2025 but legacy playbooks still recreate vaults without them. | |
journal_ | HIGH | Systemd Journal Log Manipulation | Flushes, rotates, or vacuums systemd journal logs to destroy forensic evidence | |
seccomp_ | HIGH | Seccomp Profile Disabled | Disables seccomp security profiles in containers, removing syscall filtering | |
syslog_ | HIGH | Syslog Redirection | Redirects syslog output to /dev/null or a remote attacker-controlled server | |
windows_ | HIGH | Microsoft Defender Attack-Surface Reduction (ASR) rule set to Disabled or AuditOnly | A task configures a Microsoft Defender ASR rule (via Set-MpPreference -AttackSurfaceReductionRules_Actions, Add-MpPreference, ansible.windows.win_regedit under HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules, or Intune ASR CSP) with Action=0 (Disabled) or Action=2 (AuditOnly) for one of the Microsoft-recommended ‘standard protection’ rules. Specifically dangerous when disabled: d4f940ab-401b-4efc-aadc-ad5f3c50688a (block office child processes), 3b576869-a4ec-4529-8536-b80a7769e899 (block office executable content from email), c1db55a8-c604-4b9b-aa9c-9b79fad0e9f8 (ransomware protection), 5beb7efe-fd9a-4556-801d-275e5ffc04cc (block execution of obfuscated scripts), d1e49aac-8f56-4280-b9ba-993a6d77406c (block Lsass credential stealing), 56a863a9-875e-4185-98a7-b882c64b5ce5 (block abused vulnerable signed drivers). | |
windows_ | HIGH | Windows Defender / MDE exclusion path is overbroad or user-writable (defender evasion) | A task adds a Microsoft Defender / Defender for Endpoint exclusion (via ansible.windows.win_regedit on HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths, Add-MpPreference -ExclusionPath, or Intune CSP Defender/ExcludedPaths) pointing at a user-writable / overbroad path such as C:\\, C:\\Users, C:\\Users\\Public, C:\\Temp, C:\\Windows\\Temp, C:\\ProgramData, *.exe, or *. This is MITRE T1562.001 (Disable or Modify Tools: Defender Exclusion), a staple ransomware / coinminer prestaging technique - observed in Qakbot, IcedID, LockBit, and Akira initial-access operations. A path exclusion in a user-writable location is effectively an antivirus bypass for any file the attacker drops there. | |
coredump_ | MEDIUM | Core Dump Enabled for Credential Extraction | Enables core dumps which can be used to extract secrets from process memory |