T1089.md

T1089 - Disabling Security Tools

Description from ATT&CK

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.

Detection: Monitor processes and command-line arguments to see if security tools are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log or event file reporting may be suspicious.

Platforms: Linux, macOS, Windows

Data Sources: API monitoring, Anti-virus, File monitoring, Services, Windows Registry, Process command-line parameters

Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Signature-based detection, Log analysis

Atomic Tests

• Atomic Test #1 - Disable iptables firewall

• Atomic Test #2 - Disable syslog

• Atomic Test #3 - Disable Cb Response

• Atomic Test #4 - Disable SELinux

• Atomic Test #5 - Disable Carbon Black Response

• Atomic Test #6 - Disable LittleSnitch

• Atomic Test #7 - Disable OpenDNS Umbrella

Atomic Test #1 - Disable iptables firewall

Disables the iptables firewall

Supported Platforms: Linux

Run it with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service iptables stop
  chkconfig off iptables
  service ip6tables stop
  chkconfig off ip6tables
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop firewalld
  systemctl disable firewalld
fi

Atomic Test #2 - Disable syslog

Disables syslog collection

Supported Platforms: Linux

Run it with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service rsyslog stop
  chkconfig off rsyslog
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop rsyslog
  systemctl disable rsyslog
fi

Atomic Test #3 - Disable Cb Response

Disable the Cb Response service

Supported Platforms: Linux

Run it with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service cbdaemon stop
  chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop cbdaemon
  systemctl disable cbdaemon
fi

Atomic Test #4 - Disable SELinux

Disables SELinux enforcement

Supported Platforms: Linux

Run it with sh!

setenforce 0

Atomic Test #5 - Disable Carbon Black Response

Disables Carbon Black Response

Supported Platforms: macOS

Run it with sh!

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist

Atomic Test #6 - Disable LittleSnitch

Disables LittleSnitch

Supported Platforms: macOS

Run it with sh!

sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

Atomic Test #7 - Disable OpenDNS Umbrella

Disables OpenDNS Umbrella

Supported Platforms: macOS

Run it with sh!

sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist