1. Home
  2. Techniques
  3. Enterprise
  4. Impair Defenses
  5. Disable or Modify Tools

Impair Defenses: Disable or Modify Tools

ID Name
T1562.001 Disable or Modify Tools
T1562.002 Disable Windows Event Logging
T1562.003 Impair Command History Logging
T1562.004 Disable or Modify System Firewall
T1562.006 Indicator Blocking
T1562.007 Disable or Modify Cloud Firewall
T1562.008 Disable or Modify Cloud Logs
T1562.009 Safe Mode Boot
T1562.010 Downgrade Attack
T1562.011 Spoof Security Alerting
T1562.012 Disable or Modify Linux Audit System
T1562.013 Disable or Modify Network Device Firewall

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.[1]

Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.[2]

Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.[3][4] For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via File/Path Exclusions.[5][6]

Adversaries may also focus on specific applications such as Sysmon. For example, the "Start" and "Enable" values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.[7]

On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.[8][9]

In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.

Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.[10][11][12][13] For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.[12]

Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.[14]

ID: T1562.001
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Containers, IaaS, Linux, Network Devices, Windows, macOS
Contributors: Alex Soler, AttackIQ; Cian Heasley; Daniel Feichter, @VirtualAllocEx, Infosec Tirol; Gal Singer, @galsinger29, Team Nautilus Aqua Security; Gordon Long, LegioX/Zoom, asaurusrex; Lucas Heiligenstein; Menachem Goldstein; Nathaniel Quist, Palo Alto Networks; Nay Myo Hlaing (Ethan), DBS Bank; Sarathkumar Rajendran, Microsoft Defender365; Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security
Version: 1.7
Created: 21 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry internet settings to lower internet security. [15]
S0331 Agent Tesla

Agent Tesla has the capability to kill any running analysis processes and AV software.[16]
G1030 Agrius

Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, GMER64.sys typically used for anti-rootkit functionality, to selectively stop and remove security software processes.[17]
G1024 Akira

Akira has disabled or modified security tools for defense evasion.[18]
G0082 APT38

APT38 has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.[19]

G0143 Aquatic Panda

Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.[20]
C0046 ArcaneDoor

ArcaneDoor modified the Authentication, Authorization, and Accounting (AAA) function of targeted Cisco ASA appliances to allow the threat actor to bypass normal AAA operations.[21][22]
S0640 Avaddon

Avaddon looks for and attempts to stop anti-malware solutions.[23]
S0638 Babuk

Babuk can stop anti-virus services on a compromised host.[24]
S0534 Bazar

Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.[25]

G1043 BlackByte

BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.[26][27][28]
S1180 BlackByte Ransomware

BlackByte Ransomware adds .JS and .EXE extensions to the Microsoft Defender exclusion list. BlackByte Ransomware terminates and removes the Raccine anti-ransomware utility.[29]
S0252 Brave Prince

Brave Prince terminates antimalware processes.[30]
G0060 BRONZE BUTLER

BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.[31]
S0482 Bundlore

Bundlore can change browser security settings to enable extensions to be installed. Bundlore uses the pkill cfprefsd command to prevent users from inspecting processes.[32][33]
S0484 Carberp

Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.[34]
S0144 ChChes

ChChes can alter the victim's proxy configuration.[35]
S0611 Clop

Clop can uninstall or disable security products.[36]
S0154 Cobalt Strike

Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.[37][38]
S0608 Conficker

Conficker terminates various services related to system security and Windows.[39]
G1052 Contagious Interview

Contagious Interview has convinced victims to disable Docker and other container environments and run code on their machine natively in attempts to bypass container isolation and ensure device infection.[40]
C0029 Cutting Edge

During Cutting Edge, threat actors disabled logging and modified the compcheckresult.cgi component to edit the Ivanti Connect Secure built-in Integrity Checker exclusion list to evade detection.[41][42]
S0334 DarkComet

DarkComet can disable Security Center functions like anti-virus.[43][44]
S1111 DarkGate

DarkGate will terminate processes associated with several security software products if identified during execution.[45]
S0659 Diavol

Diavol can attempt to stop security software.[46]
S0695 Donut

Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.[47]

S0377 Ebury

Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.[48]
S0554 Egregor

Egregor has disabled Windows Defender to evade protections.[49]
S0605 EKANS

EKANS stops processes related to security and management software.[50][51]
G1003 Ember Bear

Ember Bear uses the NirSoft AdvancedRun utility to disable Microsoft Defender Antivirus through stopping the WinDefend service on victim machines. Ember Bear disables Windows Defender via registry key changes.[52]
G0037 FIN6

FIN6 has deployed a utility script named kill.bat to disable anti-virus.[53]
G0047 Gamaredon Group

Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.[54][55]

S0249 Gold Dragon

Gold Dragon terminates anti-malware processes if they’re found running on the system.[30]
S0477 Goopy

Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.[56]

G0078 Gorgon Group

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[57]
S0531 Grandoreiro

Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.[58]
S0132 H1N1

H1N1 kills and disables services for Windows Security Center, and Windows Defender.[59]
S0061 HDoor

HDoor kills anti-virus found on the victim.[60]
S0601 Hildegard

Hildegard has modified DNS resolvers to evade DNS monitoring tools.[61]
C0038 HomeLand Justice

During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.[62]
S0434 Imminent Monitor

Imminent Monitor has a feature to disable Windows Task Manager.[63]

G1032 INC Ransom

INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender.[64]
G0119 Indrik Spider

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.[65] Indrik Spider has used MpCmdRun to revert the definitions in Microsoft Defender.[66] Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services.[66]
S0201 JPIN

JPIN can lower security settings by changing Registry keys.[67]
G0094 Kimsuky

Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.[68][69]
S0669 KOCTOPUS

KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.[70]
C0035 KV Botnet Activity

KV Botnet Activity used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.[71]
G0032 Lazarus Group

Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[72][73][74][75].

S1199 LockBit 2.0

LockBit 2.0 can disable firewall rules and anti-malware and monitoring software including Windows Defender.[76][77]
S1202 LockBit 3.0

LockBit 3.0 can disable security tools to evade detection including Windows Defender.[78][79][80]
S0372 LockerGoga

LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus.[81]
S1213 Lumma Stealer

Lumma Stealer has attempted to bypass Windows Antimalware Scan Interface (AMSI) by removing the string "AmsiScanBuffer" from the "clr.dll" module in memory to prevent it from being called.[82]
S1048 macOS.OSAMiner

macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system's install.log for apps matching its hardcoded list, killing all matching process names.[83]
G0059 Magic Hound

Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.[84]
S1169 Mango

Mango contains an unused capability to block endpoint security solutions from loading user-mode code hooks via a DLL in a specified process by using the UpdateProcThreadAttribute API to set the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY to PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON for an identified process. [85]
S0449 Maze

Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[86] It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.[87]
G1051 Medusa Group

Medusa Group has terminated antivirus services utilizing the gaze.exe executable and utilizing psexec.exe.[88][89][90] Medusa Group has also leveraged I/O control codes (IOCTLs) for terminating and deleting processes of identified security tools.[88]
S1244 Medusa Ransomware

Medusa Ransomware has terminated antivirus services utilizing the gaze.exe executable.[88] Medusa Ransomware has also terminated antivirus services utilizing PowerShell scripts.[88][91]
S0576 MegaCortex

MegaCortex was used to kill endpoint security processes.[92]
S0455 Metamorfo

Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.[93][94]

S0688 Meteor

Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.[95]
G0069 MuddyWater

MuddyWater can disable the system's local proxy settings.[96]
S1135 MultiLayer Wiper

MultiLayer Wiper removes the Volume Shadow Copy (VSS) service from infected devices along with all present shadow copies.[17]
S0228 NanHaiShu

NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.[97]
S0336 NanoCore

NanoCore can modify the victim's anti-virus.[98][99]
S0457 Netwalker

Netwalker can detect and terminate active security software-related processes on infected systems.[100][101]
C0002 Night Dragon

During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.[102]
G1040 Play

Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.[103][104]
S0223 POWERSTATS

POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.[105]
S0279 Proton

Proton kills security tools like Wireshark that are running.[106]
G0024 Putter Panda

Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[107]
S0583 Pysa

Pysa has the capability to stop antivirus services and disable Windows Defender.[108]

S0650 QakBot

QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.[109]
S1242 Qilin

Qilin can terminate antivirus-related processes and services.[110][111][112][113]
C0055 Quad7 Activity

Quad7 Activity has disabled the TP-Link management interface for TP-Link by killing the /usr/bin/httpd process.[114][115][116]
S0481 Ragnar Locker

Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.[117]
S1130 Raspberry Robin

Raspberry Robin can add an exception to Microsoft Defender that excludes the entire main drive from anti-malware scanning to evade detection.[118]
S1240 RedLine Stealer

RedLine Stealer can disable security software and update services.[119]
S0496 REvil

REvil can connect to and disable the Symantec server on the victim's network.[120]
S0400 RobbinHood

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.[121]

G0106 Rocke

Rocke used scripts which detected and uninstalled antivirus software.[122][123]
S0253 RunningRAT

RunningRAT kills antimalware running process.[30]
S0446 Ryuk

Ryuk has stopped services related to anti-virus.[124]
G1031 Saint Bear

Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality.[125]
G1015 Scattered Spider

Scattered Spider has uninstalled and disabled security tools.[126]

C0058 SharePoint ToolShell Exploitation

During SharePoint ToolShell Exploitation, threat actors disabled Microsoft Defender through Registry settings and real-time monitoring via PowerShell.[127][128]
S1178 ShrinkLocker

ShrinkLocker disables protectors used to secure the BitLocker encryption key on victim systems.[129][130]
S0692 SILENTTRINITY

SILENTTRINITY's amsiPatch.py module can disable Antimalware Scan Interface (AMSI) functions.[131]
S0468 Skidmap

Skidmap has the ability to set SELinux to permissive mode.[132]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used the service control manager on a remote system to disable services associated with security monitoring products.[133]
S1234 SplatCloak

SplatCloak has identified and disabled API callback features of Windows Defender and Kaspersky.[134]
S0058 SslMM

SslMM identifies and kills anti-malware processes.[60]
S0491 StrongPity

StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.[135]
S0559 SUNBURST

SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.[136]
G1018 TA2541

TA2541 has attempted to disable built-in security protections such as Windows AMSI. [137]
G0092 TA505

TA505 has used malware to disable Windows Defender.[138]
G0139 TeamTNT

TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.[139][140]
S0595 ThiefQuest

ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.[141]
S0004 TinyZBot

TinyZBot can disable Avira anti-virus.[142]
S0266 TrickBot

TrickBot can disable Windows Defender.[143]
G0010 Turla

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.[144]
G1048 UNC3886

UNC3886 has disabled OpenSSL digital signature verification of system files through corruption of boot files.[145]
S0130 Unknown Logger

Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.[146]
G1047 Velvet Ant

Velvet Ant attempted to disable local security tools and endpoint detection and response (EDR) software during operations.[147]
S0670 WarzoneRAT

WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.[148]
S0689 WhisperGate

WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.[149][150][151]
G0102 Wizard Spider

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.[152][153][154][155]
S1207 XLoader

XLoader loads a copy of NTDLL to evade hooks from security monitoring tools on this library.[156] XLoader can add the path of its executable to the Microsoft Defender exclusion list.[157]
S1114 ZIPLINE

ZIPLINE can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool if the --exclude parameter is passed by the tar process.[158]
S0412 ZxShell

ZxShell can kill AV products' processes.[159]

Mitigations

ID Mitigation Description
M1047 Audit

Periodically verify that tools are functioning appropriately – for example, that all expected hosts with EDRs or monitoring agents are checking in to the central console. Check EDRs to ensure that no unexpected exclusion paths have been added. In Microsoft Defender for Endpoint, exclusions can be reviewed with the Get-MpPreference cmdlet.[160]
M1038 Execution Prevention

Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.
M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.
M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.
M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0497 Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. AN1369

Detection of adversary behavior that disables or modifies security tools, including killing AV/EDR processes, stopping services, altering Sysmon registry keys, or tampering with exclusion lists. Defenders observe process/service termination, registry modification, and abnormal absence of expected telemetry.
AN1370

Detection of adversaries attempting to stop or disable host-based security agents by killing daemons, unloading kernel modules, or modifying init/systemd service configurations.
AN1371

Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or using security/uninstall commands to remove agents.
AN1372

Detection of adversaries disabling cloud monitoring and logging agents such as CloudWatch, Google Cloud Monitoring, or Azure Monitor by API calls or agent process termination.
AN1373

Detection of adversaries tampering with container runtime security plugins, disabling admission controllers, or stopping monitoring sidecars.
AN1374

Detection of adversaries modifying startup configuration files to disable signature verification, logging, or monitoring features.

References

  1. Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.
  2. Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025.
  3. de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.
  4. MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.
  5. BlackBerry Research and Intelligence Team. (2022, February 3). Threat Spotlight: WhisperGate Wiper Wreaks Havoc in Ukraine. Retrieved March 18, 2025.
  6. Van Ta, Jake Nicastro, Rufus Brown, and Nick Richard. (2021, December 7). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved March 18, 2025.
  7. Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
  8. ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.
  9. Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.
  10. Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022.
  11. Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022.
  12. Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022.
  13. Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022.
  14. Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022.
  15. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
  16. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  17. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  18. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
  19. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  20. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  21. Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
  22. Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
  23. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  24. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  25. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  26. US Federal Bureau of Investigation & US Secret Service. (2022, February 11). Indicators of Compromise Associated with BlackByte Ransomware. Retrieved December 16, 2024.
  27. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  28. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  29. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
  30. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  31. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  32. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  33. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  34. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  35. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  36. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  37. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  38. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  39. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  40. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
  41. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  42. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  43. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  44. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  45. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  46. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  47. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  48. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  49. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  50. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  51. Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
  52. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  53. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  54. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  55. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024.
  56. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  57. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  58. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  59. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024.
  60. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  61. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  62. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  63. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  64. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
  65. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  66. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  67. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  68. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  69. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  70. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  71. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  72. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  73. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
  74. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  75. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  76. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  77. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  78. CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025.
  79. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  80. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025.
  1. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  2. Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025.
  3. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
  4. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  5. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  6. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  7. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  8. Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025.
  9. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
  10. Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025.
  11. Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025.
  12. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  13. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  14. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  15. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  16. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  17. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  18. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  19. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  20. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  21. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  22. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  23. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  24. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  25. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  26. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  27. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  28. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  29. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
  30. Magdy, S. et al. (2022, August 25). New Golang Ransomware Agenda Customizes Attacks. Retrieved September 26, 2025.
  31. SentinelOne. (2022, November 30). Agenda (Qilin). Retrieved September 26, 2025.
  32. Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025.
  33. Hacioglu, S. (2025, March 10). Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024. Retrieved September 26, 2025.
  34. Aime, F. et al. (n.d.). Solving the 7777 Botnet enigma: A cybersecurity quest. Retrieved July 23, 2024.
  35. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025.
  36. Batista, João. Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.
  37. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  38. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  39. Splunk Threat Research Team. (2023, June 1). Do Not Cross The 'RedLine' Stealer: Detections and Analysis. Retrieved September 17, 2025.
  40. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  41. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  42. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  43. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  44. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  45. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  46. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  47. Microsoft Threat Intelligence. (2025, July 22). Disrupting active exploitation of on-premises SharePoint vulnerabilities. Retrieved October 15, 2025.
  48. Unit 42. (2025, July 31). Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated). Retrieved October 15, 2025.
  49. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
  50. Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024.
  51. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  52. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  53. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  54. Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2. Retrieved September 12, 2025.
  55. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  56. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  57. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  58. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  59. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  60. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  61. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  62. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  63. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  64. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  65. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
  66. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  67. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
  68. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  69. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  70. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  71. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  72. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  73. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  74. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  75. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  76. Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025.
  77. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025.
  78. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  79. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  80. Christopher Brumm. (2021, August 4). My learnings on Microsoft Defender for Endpoint and Exclusions. Retrieved March 18, 2025.