forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
disabling_security_tools.yml
31 lines (31 loc) · 1.66 KB
/
disabling_security_tools.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: Disabling Security Tools
id: fcc27099-46a0-46b0-a271-5c7dab56b6f1
version: 2
date: '2020-02-04'
author: Rico Valdez, Splunk
description: Looks for activities and techniques associated with the disabling of
security tools on a Windows system, such as suspicious `reg.exe` processes, processes
launching netsh, and many others.
narrative: Attackers employ a variety of tactics in order to avoid detection and operate
without barriers. This often involves modifying the configuration of security tools
to get around them or explicitly disabling them to prevent them from running. This
Analytic Story includes searches that look for activity consistent with attackers
attempting to disable various security mechanisms. Such activity may involve monitoring
for suspicious registry activity, as this is where much of the configuration for
Windows and various other programs reside, or explicitly attempting to shut down
security-related services. Other times, attackers attempt various tricks to prevent
specific programs from running, such as adding the certificates with which the security
tools are signed to a block list (which would prevent them from running).
references:
- https://attack.mitre.org/wiki/Technique/T1089
- https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/
- https://web.archive.org/web/20220425194457/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf
tags:
analytic_story: Disabling Security Tools
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring