Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.[1][2]
ID | Name | Description |
---|---|---|
S0331 | Agent Tesla |
Agent Tesla has the capability to kill any running analysis processes and AV software.[3] |
G0016 | APT29 |
APT29 used the service control manager on a remote system to disable services associated with security monitoring products.[4] |
G0143 | Aquatic Panda |
Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.[5] |
S0640 | Avaddon |
Avaddon looks for and attempts to stop anti-malware solutions.[6] |
S0638 | Babuk |
Babuk can stop anti-virus services on a compromised host.[7] |
S0534 | Bazar |
Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.[8] |
S0252 | Brave Prince |
Brave Prince terminates antimalware processes.[9] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.[10] |
S0482 | Bundlore |
Bundlore can change browser security settings to enable extensions to be installed. Bundlore uses the |
S0484 | Carberp |
Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.[13] |
S0144 | ChChes | |
S0611 | Clop | |
S0154 | Cobalt Strike |
Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.[16][17] |
S0608 | Conficker |
Conficker terminates various services related to system security and Windows.[18] |
S0334 | DarkComet |
DarkComet can disable Security Center functions like anti-virus.[19][20] |
S0659 | Diavol | |
S0695 | Donut |
Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.[22] |
S0377 | Ebury |
Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.[23] |
S0554 | Egregor |
Egregor has disabled Windows Defender to evade protections.[24] |
S0605 | EKANS |
EKANS stops processes related to security and management software.[25][26] |
G0037 | FIN6 |
FIN6 has deployed a utility script named |
G0047 | Gamaredon Group |
Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.[28] |
S0249 | Gold Dragon |
Gold Dragon terminates anti-malware processes if they’re found running on the system.[9] |
S0477 | Goopy |
Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.[29] |
G0078 | Gorgon Group |
Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the |
S0531 | Grandoreiro |
Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.[31] |
S0132 | H1N1 |
H1N1 kills and disables services for Windows Security Center, and Windows Defender.[32] |
S0061 | HDoor | |
S0601 | Hildegard |
Hildegard has modified DNS resolvers to evade DNS monitoring tools.[34] |
S0434 | Imminent Monitor |
Imminent Monitor has a feature to disable Windows Task Manager.[35] |
G0119 | Indrik Spider |
Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.[36] |
S0201 | JPIN |
JPIN can lower security settings by changing Registry keys.[37] |
G0094 | Kimsuky |
Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.[38][39] |
S0669 | KOCTOPUS |
KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.[40] |
G0032 | Lazarus Group |
Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.[41][42][43][44]. |
S0372 | LockerGoga |
LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus.[45] |
S0449 | Maze |
Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.[46] It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.[47] |
S0576 | MegaCortex |
MegaCortex was used to kill endpoint security processes.[48] |
S0455 | Metamorfo |
Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.[49][50] |
S0688 | Meteor |
Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.[51] |
G0069 | MuddyWater |
MuddyWater can disable the system's local proxy settings.[52] |
S0228 | NanHaiShu |
NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.[53] |
S0336 | NanoCore | |
S0457 | Netwalker |
Netwalker can detect and terminate active security software-related processes on infected systems.[56][57] |
G0014 | Night Dragon |
Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[58] |
S0223 | POWERSTATS |
POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.[59] |
S0279 | Proton |
Proton kills security tools like Wireshark that are running.[60] |
G0024 | Putter Panda |
Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[61] |
S0583 | Pysa |
Pysa has the capability to stop antivirus services and disable Windows Defender.[62] |
S0650 | QakBot |
QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.[63] |
S0481 | Ragnar Locker |
Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.[64] |
S0496 | REvil |
REvil can connect to and disable the Symantec server on the victim's network.[65] |
S0400 | RobbinHood |
RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.[66] |
G0106 | Rocke |
Rocke used scripts which detected and uninstalled antivirus software.[67][68] |
S0253 | RunningRAT |
RunningRAT kills antimalware running process.[9] |
S0446 | Ryuk | |
S0692 | SILENTTRINITY |
SILENTTRINITY's |
S0468 | Skidmap |
Skidmap has the ability to set SELinux to permissive mode.[71] |
S0058 | SslMM | |
S0491 | StrongPity |
StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.[72] |
S0559 | SUNBURST |
SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.[73] |
G0139 | TeamTNT | |
S0595 | ThiefQuest |
ThiefQuest uses the function |
S0004 | TinyZBot | |
S0266 | TrickBot | |
G0010 | Turla |
Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.[78] |
S0130 | Unknown Logger |
Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.[79] |
S0670 | WarzoneRAT |
WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.[80] |
S0689 | WhisperGate |
WhisperGate can download and execute AdvancedRun.exe to disable Windows Defender Theat Protection via |
G0102 | Wizard Spider |
Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.[84][85][86] |
S0412 | ZxShell |
ID | Mitigation | Description |
---|---|---|
M1022 | Restrict File and Directory Permissions |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services. |
M1024 | Restrict Registry Permissions |
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services. |
M1018 | User Account Management |
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. |
Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.
Lack of expected log events may be suspicious.