Register to stream ATT&CKcon 2.0 October 29-30

Disabling Security Tools

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.

ID: T1089
Tactic: Defense Evasion
Platform: Linux, macOS, Windows
Data Sources: API monitoring, File monitoring, Services, Windows Registry, Process command-line parameters, Anti-virus
Defense Bypassed: File monitoring, Host intrusion prevention systems, Signature-based detection, Log analysis, Anti-virus
CAPEC ID: CAPEC-578
Version: 1.0

Mitigations

Mitigation Description
Restrict File and Directory Permissions Ensure proper process, Registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.
User Account Management Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Examples

Name Description
Agent Tesla Agent Tesla has the capability to kill any running analysis processes and AV software. [19]
BACKSPACE The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed. [3]
BADCALL BADCALL disables the Windows firewall before binding to a port. [11]
Brave Prince Brave Prince terminates antimalware processes. [16]
Carbanak Carbanak may use netsh to add local firewall rule exceptions. [40]
ChChes ChChes can alter the victim's proxy configuration. [4]
DarkComet DarkComet can disable Security Center functions like anti-virus and the Windows Firewall. [22] [23]
Dragonfly 2.0 Dragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389. [30] [31]
Ebury Ebury has disabled logging when the backdoor is used. [27]
Gold Dragon Gold Dragon terminates anti-malware processes if they’re found running on the system. [16]
Gorgon Group Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command. [32]
H1N1 H1N1 kills and disables services for Windows Firewall, Windows Security Center, and Windows Defender. [5]
HARDRAIN HARDRAIN opens the Windows Firewall to modify incoming connections. [9]
HDoor HDoor kills anti-virus found on the victim. [6]
HOPLIGHT HOPLIGHT has modified the firewall using netsh. [26]
InvisiMole InvisiMole has a command to disable routing and the Firewall on the victim’s machine. [20]
JPIN JPIN lower disable security settings by changing Registry keys. [10]
Kasidet Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded. [7]
Lazarus Group Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services. [34] [35] [36] [37]
LockerGoga LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus. [29]
NanHaiShu NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity. [8]
NanoCore NanoCore can modify the victim's firewall and anti-virus. [14] [15]
netsh netsh can be used to disable local firewall settings. [1] [2]
Night Dragon Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[ [38]
njRAT njRAT has modified the Windows firewall to allow itself to communicate through the firewall. [28]
POWERSTATS POWERSTATS can disable Microsoft Office Protected View by changing Registry keys. [25]
Proton Proton kills security tools like Wireshark that are running. [17]
Putter Panda Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe). [33]
Remsec Remsec can add or remove applications or ports on the Windows firewall or disable it entirely. [21]
RunningRAT RunningRAT kills antimalware running process. [16]
SslMM SslMM identifies and kills anti-malware processes. [6]
Threat Group-3390 Threat Group-3390 has used appcmd.exe to disable logging on a victim server. [39]
TinyZBot TinyZBot can disable Avira anti-virus. [13]
TrickBot TrickBot can disable Windows Defender. [18]
Turla Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products. [41]
TYPEFRAME TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections. [12]
Unknown Logger Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes. [24]

Detection

Monitor processes and command-line arguments to see if security tools are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log or event file reporting may be suspicious.

References

  1. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  2. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  3. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  4. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  5. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  6. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  7. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  8. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  9. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
  10. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  11. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  12. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  13. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  14. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  15. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  16. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  17. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  18. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  19. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  20. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  21. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  1. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  2. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  3. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  4. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  5. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  6. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  7. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  8. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  9. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  10. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  11. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  12. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  13. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  14. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  15. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  16. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  17. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  18. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  19. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
  20. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.