The hypothesis is that adversaries are enumerating system processes, drivers, and registry keys to disable security controls and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential Nobelium malware activity before it leads to data exfiltration or lateral movement.
KQL Query
// Times to be modified as appropriate
let timeAgo=1d;
let silenceTime=8h;
// Get all silent devices and IPs from network events
let allNetwork=materialize(DeviceNetworkEvents
| where Timestamp > ago(timeAgo)
and isnotempty(LocalIP)
and isnotempty(RemoteIP)
and ActionType in ("ConnectionSuccess", "InboundConnectionAccepted")
and LocalIP !in ("127.0.0.1", "::1")
| project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId);
let nonSilentDevices=allNetwork
| where Timestamp > ago(silenceTime)
| union (DeviceProcessEvents | where Timestamp > ago(silenceTime))
| summarize by DeviceId;
let nonSilentIPs=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by LocalIP;
let silentDevices=allNetwork
| where DeviceId !in (nonSilentDevices)
and LocalIP !in (nonSilentIPs)
| project DeviceId, LocalIP, Timestamp, ReportId;
// Get all remote IPs that were recently active
let addressesDuringSilence=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by RemoteIP;
// Potentially disconnected devices were connected but are silent
silentDevices
| where LocalIP in (addressesDuringSilence)
| summarize ReportId=arg_max(Timestamp, ReportId), Timestamp=max(Timestamp), LocalIP=arg_max(Timestamp, LocalIP) by DeviceId
| project DeviceId, ReportId=ReportId1, Timestamp, LocalIP=LocalIP1
id: ba850be4-2f02-40fb-834d-d0a9ac0672d3
name: Discovering potentially tampered devices [Nobelium]
description: |
To evade security software and analyst tools, Nobelium malware enumerates the target system looking for certain running processes, loaded drivers, and registry keys, with the goal of disabling them.
The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable.
Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts, including "Attempt to stop Microsoft Defender for Endpoint sensor", "Tampering with Microsoft Defender for Endpoint sensor settings", or "Possible sensor tampering in memory".
Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities.
However, the multitude of signals reported into Microsoft Defender XDR provides a unique opportunity to hunt for systems where the tampering technique used might have been successful.
The following advanced hunting query can be used to locate devices that should be reporting but aren't:
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
- DeviceProcessEvents
tactics:
- Defense evasion
tags:
- Nobelium
query: |
// Times to be modified as appropriate
let timeAgo=1d;
let silenceTime=8h;
// Get all silent devices and IPs from network events
let allNetwork=materialize(DeviceNetworkEvents
| where Timestamp > ago(timeAgo)
and isnotempty(LocalIP)
and isnotempty(RemoteIP)
and ActionType in ("ConnectionSuccess", "InboundConnectionAccepted")
and LocalIP !in ("127.0.0.1", "::1")
| project DeviceId, Timestamp, LocalIP, RemoteIP, ReportId);
let nonSilentDevices=allNetwork
| where Timestamp > ago(silenceTime)
| union (DeviceProcessEvents | where Timestamp > ago(silenceTime))
| summarize by DeviceId;
let nonSilentIPs=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by LocalIP;
let silentDevices=allNetwork
| where DeviceId !in (nonSilentDevices)
and LocalIP !in (nonSilentIPs)
| project DeviceId, LocalIP, Timestamp, ReportId;
// Get all remote IPs that were recently active
let addressesDuringSilence=allNetwork
| where Timestamp > ago(silenceTime)
| summarize by RemoteIP;
// Potentially disconnected devices were connected but are silent
silentDevices
| where LocalIP in (addressesDuringSilence)
| summarize ReportId=arg_max(Timestamp, ReportId), Timestamp=max(Timestamp), LocalIP=arg_max(Timestamp, LocalIP) by DeviceId
| project DeviceId, ReportId=ReportId1, Timestamp, LocalIP=LocalIP1
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Task Running Antivirus Scan
Description: A legitimate system maintenance task, such as Windows Defender or Microsoft Security Essentials, is running a scheduled scan, which may trigger process enumeration similar to what Nobelium does.
Filter/Exclusion: Exclude processes related to Windows Defender (e.g., MsMpEng.exe, WdMigSetup.exe) or use a filter for ProcessName containing Defender or Microsoft Security Essentials.
Scenario: Scheduled Job for Driver Updates
Description: A scheduled job using DISM or pnputil to update or install drivers may enumerate loaded drivers and registry keys, mimicking Nobelium’s behavior.
Filter/Exclusion: Exclude processes related to DISM (e.g., dism.exe) or pnputil.exe, or filter by CommandLine containing dism or pnputil.
Scenario: Admin Task to Disable Security Software Temporarily
Description: An administrator may use taskkill or net stop to temporarily disable security software (e.g., Windows Defender, McAfee, Kaspersky) for maintenance, which could trigger the rule.
Filter/Exclusion: Exclude processes with taskkill.exe or net.exe, or filter by CommandLine containing taskkill or net stop.
Scenario: Registry Key Backup or Cleanup Job
Description: A scheduled task using reg.exe or regedit.exe to back up or clean up registry keys may trigger the rule due to registry enumeration.
Filter/Exclusion: Exclude processes related to reg.exe or regedit.exe, or filter by CommandLine containing reg or regedit.
Scenario: PowerShell Script for System Configuration