Disabling Security Tools
|Disabling Security Tools|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X|
|Data Sources||API monitoring, Anti-virus, File monitoring, Services, Windows Registry, Process command-line parameters|
|Defense Bypassed||Anti-virus, File monitoring, Host intrusion prevention systems, Signature-based detection, File monitoring, Log analysis|
Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
- Carbanak may use netsh to add local firewall rule exceptions.1
- Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh. 2 3 Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee.3
- Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).4
- Threat Group-3390 has used appcmd.exe to disable logging on a victim server.5
- The "ZR" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.6
- ChChes can alter the victim's proxy configuration.7
- H1N1 kills and disables services for Windows Firewall, Windows Security Center, and Windows Defender.8
- HDoor kills anti-virus found on the victim.9
- Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded.10
- Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.11
- SslMM identifies and kills anti-malware processes.9
- TinyZBot can disable Avira anti-virus.12
- Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.13
- netsh can be used to disable local firewall settings.14
Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.
Monitor processes and command-line arguments to see if security tools are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log or event file reporting may be suspicious.
- Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved December 17, 2015.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Cylance. (2014, December). Operation Cleaver. Retrieved December 4, 2014.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.