# T1562.001 Disable or Modify Tools

-----------------------------------------------------------------------

## Technique Description

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.

Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)

## Technique Detection

Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity.

Lack of expected log events may be suspicious.

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Windows

  * macOS

  * Linux

  * Containers

  * IaaS

### Adversary Required Permissions:

  * User

  * Administrator

### Defenses Bypassed:

  * Anti-virus

  * Log analysis

  * Signature-based detection

  * Host intrusion prevention systems

  * File monitoring

### Data Sources:

  * **Windows Registry:** Windows Registry Key Modification

  * **Service:** Service Metadata

  * **Command:** Command Execution

  * **Process:** Process Termination

  * **Sensor Health:** Host Status

  * **Windows Registry:** Windows Registry Key Deletion

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has attempted to stop endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)| 
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has disabled and uninstalled security tools.(Citation: ATT TeamTNT Chimaera September 2020)| 
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) used [PsExec](https://attack.mitre.org/software/S0029) to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.(Citation: Symantec WastedLocker June 2020)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)| 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)| 
| Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can attempt to disable security features in Microsoft Office and Windows Defender using the <code>taskkill</code> command.(Citation: Unit 42 Gorgon Group Aug 2018)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) can disable the system's local proxy settings.(Citation: Trend Micro Muddy Water March 2021)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has incorporated code into several tools that attempts to terminate anti-virus processes.(Citation: Trend Micro Tick November 2019)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered macros which can tamper with Microsoft Office security settings.(Citation: ESET Gamaredon June 2020)	| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has deployed a utility script named <code>kill.bat</code> to disable anti-virus.(Citation: FireEye FIN6 Apr 2019)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018). | 
| Putter Panda | Malware used by [Putter Panda](https://attack.mitre.org/groups/G0024) attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).(Citation: CrowdStrike Putter Panda)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Night Dragon | [Night Dragon](https://attack.mitre.org/groups/G0014) has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.(Citation: McAfee Night Dragon)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.(Citation: ESET Turla PowerShell May 2019)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1562/001)

  * [Capec](https://capec.mitre.org/data/definitions/578.html)

  * [Outflank System Calls](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/), de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.

  * [Mdsec System Calls](https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/), MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Turla will use a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [Turla Powershell Usage 2019 (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [Asia 18 Tal Liberman Documenting the Undocumented - The Rise and Fall of AMSI (blackhat)](https://i.blackhat.com/briefings/asia/2018/asia-18-Tal-Liberman-Documenting-the-Undocumented-The-Rise-and-Fall-of-AMSI.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Lack of log events for security tools may be suspicious.

#### Analytic 1

  * **Information:** Identify attempts to access the AmsiScanBuffer. This function is what AMSI uses to determine if a product needs to be scanned.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Event id 4663 will usually be more reliable than 4656 and 4658

  * **Query:** ```event_id:[4663, 4656, 4658] AND object.name:"amsi.dll"```

#### Analytic 2

  * **Information:** Monitor processes and command-line arguments to see if security tools are killed or stop running.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query Sysmon:** ```event_id:5 AND image:"<security tool location>"```
  * **Query Win_Event:** ```event_id:4689 AND process.name:"<security tool location>"```
  
#### Analytic 3

  * **Information:** Monitor Registry edits for modifications to services and startup programs that correspond to security tools.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id:4657 AND object.name:"<security tool registry name>"```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

