Impair Defenses: Disable or Modify Tools

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.

ID: T1562.001
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Containers, IaaS, Linux, Windows, macOS
Permissions Required: Administrator, User
Data Sources: Command: Command Execution, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Log analysis, Signature-based detection
CAPEC ID: CAPEC-578
Contributors: Gal Singer, @galsinger29, Team Nautilus Aqua Security; Nathaniel Quist, Palo Alto Networks; Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security
Version: 1.1
Created: 21 February 2020
Last Modified: 19 April 2021

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has the capability to kill any running analysis processes and AV software.[1]

G0016 APT29

APT29 used the service control manager on a remote system to disable services associated with security monitoring products.[2]

S0534 Bazar

Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.[3]

S0252 Brave Prince

Brave Prince terminates antimalware processes.[4]

G0060 BRONZE BUTLER

BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.[5]

S0482 Bundlore

Bundlore can change macOS security settings and browser preferences to enable follow-on behaviors.[6]

S0484 Carberp

Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.[7]

S0144 ChChes

ChChes can alter the victim's proxy configuration.[8]

S0154 Cobalt Strike

Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.[9]

S0334 DarkComet

DarkComet can disable Security Center functions like anti-virus.[10][11]

S0377 Ebury

Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.[12]

S0554 Egregor

Egregor has disabled Windows Defender to evade protections.[13]

G0037 FIN6

FIN6 has deployed a utility script named kill.bat to disable anti-virus.[14]

G0047 Gamaredon Group

Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.[15]

S0249 Gold Dragon

Gold Dragon terminates anti-malware processes if they’re found running on the system.[4]

S0477 Goopy

Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.[16]

G0078 Gorgon Group

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[17]

S0531 Grandoreiro

Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.[18]

S0132 H1N1

H1N1 kills and disables services for Windows Security Center, and Windows Defender.[19]

S0061 HDoor

HDoor kills anti-virus found on the victim.[20]

S0601 Hildegard

Hildegard has modified DNS resolvers to evade DNS monitoring tools.[21]

S0434 Imminent Monitor

Imminent Monitor has a feature to disable Windows Task Manager.[22]

S0201 JPIN

JPIN can lower security settings by changing Registry keys.[23]

G0094 Kimsuky

Kimsuky has been observed turning off Windows Security Center.[24]

G0032 Lazarus Group

Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[25][26][27][28]. During a 2019 intrusion, Lazarus Group disabled Windows Defender and Credential Guard as some of their first actions on host.[29]

S0372 LockerGoga

LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus.[30]

S0449 Maze

Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[31] It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.[32]

S0576 MegaCortex

MegaCortex was used to kill endpoint security processes.[33]

S0455 Metamorfo

Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.[34][35]

G0069 MuddyWater

MuddyWater can disable the system's local proxy settings.[36]

S0228 NanHaiShu

NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.[37]

S0336 NanoCore

NanoCore can modify the victim's anti-virus.[38][39]

S0457 Netwalker

Netwalker can detect and terminate active security software-related processes on infected systems.[40][41]

G0014 Night Dragon

Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[42]

S0223 POWERSTATS

POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.[43]

S0279 Proton

Proton kills security tools like Wireshark that are running.[44]

G0024 Putter Panda

Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[45]

S0583 Pysa

Pysa has the capability to stop antivirus services and disable Windows Defender.[46]

S0481 Ragnar Locker

Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.[47]

S0496 REvil

REvil can connect to and disable the Symantec server on the victim's network.[48]

S0400 RobbinHood

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.[49]

G0106 Rocke

Rocke used scripts which detected and uninstalled antivirus software.[50][51]

S0253 RunningRAT

RunningRAT kills antimalware running process.[4]

S0446 Ryuk

Ryuk has stopped services related to anti-virus.[52]

S0468 Skidmap

Skidmap has the ability to set SELinux to permissive mode.[53]

S0058 SslMM

SslMM identifies and kills anti-malware processes.[20]

S0491 StrongPity

StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.[54]

S0559 SUNBURST

SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.[55]

S0595 ThiefQuest

ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.[56]

S0004 TinyZBot

TinyZBot can disable Avira anti-virus.[57]

S0266 TrickBot

TrickBot can disable Windows Defender.[58]

G0010 Turla

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.[59]

S0130 Unknown Logger

Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.[60]

G0102 Wizard Spider

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.[61][62][63]

S0412 ZxShell

ZxShell can kill AV products' processes.[64]

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.

M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.

M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Detection

Monitor processes and command-line arguments to see if security tools are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.

References

  1. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  2. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  3. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  4. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  5. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  6. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  7. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  8. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  9. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  10. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  11. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  12. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  13. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  14. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  15. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  16. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  17. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  18. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  19. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  20. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  21. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  22. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  23. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  24. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  25. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  26. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  27. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  28. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  29. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  30. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  31. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  32. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  1. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  2. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  3. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  4. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  5. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  6. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  7. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  8. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  9. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  10. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  11. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  12. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  13. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  14. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  15. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  16. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  17. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  18. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  19. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  20. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  21. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  22. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  23. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  24. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  25. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  26. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  27. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  28. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  29. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  30. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  31. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  32. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.