Impair Defenses: Disable or Modify Tools

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.

ID: T1562.001
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, User
Data Sources: File monitoring, Process command-line parameters, Services, Windows Registry
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Log analysis, Signature-based detection
CAPEC ID: CAPEC-578
Version: 1.0
Created: 21 February 2020
Last Modified: 29 March 2020

Procedure Examples

Name Description
Agent Tesla

Agent Tesla has the capability to kill any running analysis processes and AV software.[13]

Brave Prince

Brave Prince terminates antimalware processes.[10]

BRONZE BUTLER

BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.[41]

Bundlore

Bundlore can change macOS security settings and browser preferences to enable follow-on behaviors.[29]

ChChes

ChChes can alter the victim's proxy configuration.[2]

DarkComet

DarkComet can disable Security Center functions like anti-virus.[14][15]

Gamaredon Group

Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.[42]

Gold Dragon

Gold Dragon terminates anti-malware processes if they’re found running on the system.[10]

Goopy

Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.[27]

Gorgon Group

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[30]

H1N1

H1N1 kills and disables services for Windows Security Center, and Windows Defender.[3]

HDoor

HDoor kills anti-virus found on the victim.[4]

Imminent Monitor

Imminent Monitor has a feature to disable Windows Task Manager.[1]

JPIN

JPIN lower disable security settings by changing Registry keys.[6]

Kimsuky

Kimsuky has been observed turning off Windows Security Center.[38]

Lazarus Group

netsh. Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[32][33][34][35]

LockerGoga

LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus.[18]

MAZE

MAZE has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[23]

NanHaiShu

NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.[5]

NanoCore

NanoCore can modify the victim's anti-virus.[8][9]

Netwalker

Netwalker can detect and terminate active security software-related processes on infected systems.[24][25]

Night Dragon

Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[[36]

OSX/Shlayer

OSX/Shlayer can disable Gatekeeper using the native spctl application.[20]

POWERSTATS

POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.[17]

Proton

Proton kills security tools like Wireshark that are running.[11]

Putter Panda

Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[31]

Ragnar Locker

Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.[28]

RobbinHood

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.[19]

Rocke

Rocke used scripts which detected and uninstalled antivirus software.[39][40]

RunningRAT

RunningRAT kills antimalware running process.[10]

Ryuk

Ryuk has stopped services related to anti-virus.[22]

Skidmap

Skidmap has the ability to set SELinux to permissive mode.[26]

SslMM

SslMM identifies and kills anti-malware processes.[4]

TinyZBot

TinyZBot can disable Avira anti-virus.[7]

TrickBot

TrickBot can disable Windows Defender.[12]

Turla

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.[37]

Unknown Logger

Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.[16]

ZxShell

ZxShell can kill AV products' processes.[21]

Mitigations

Mitigation Description
Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.

Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.

User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Detection

Monitor processes and command-line arguments to see if security tools are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.

References

  1. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  2. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  3. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  4. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  5. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  6. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  7. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  8. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  9. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  10. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  11. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  12. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  13. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  14. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  15. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  16. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  17. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  18. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  19. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  20. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  21. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  1. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  2. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  3. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  4. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  5. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  6. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  7. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  8. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  9. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  10. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  11. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  12. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  13. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  14. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  15. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  16. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  17. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  18. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  19. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  20. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  21. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.