Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.
Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services..
Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg. It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.
Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.
|M1022||Restrict File and Directory Permissions||
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.
|M1024||Restrict Registry Permissions||
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.
|M1018||User Account Management||
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.
|ID||Data Source||Data Component|
|DS0013||Sensor Health||Host Status|
|DS0024||Windows Registry||Windows Registry Key Deletion|
|Windows Registry Key Modification|
Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.
Lack of expected log events may be suspicious.