As cybersecurity professionals, we rely on a robust set of security tools to safeguard our organizations from threats. However, adversaries are constantly devising ways to circumvent these defenses, and one particularly concerning tactic is disabling security tools, tracked as T1089 in the Mitre ATT&CK framework.

What Is Disabling Security Tools? This technique involves an attacker taking actions to neutralize or render ineffective the security software deployed on a system or network. By disabling or tampering with security tools like antivirus, firewalls, host-based sensors, and other protective measures, adversaries can gain a foothold and operate more freely without detection.

Common Methods Adversaries employ various methods to disable security tools, including:

1. Killing security software processes
2. Modifying configuration files or registry keys
3. Uninstalling or deleting security software components
4. Exploiting vulnerabilities in security tools
5. Tampering with security tool updates
6. Disabling security services or scheduled tasks

Real-World Examples

• The notorious Emotet malware disables Windows Defender and other security products by modifying registry keys and terminating processes.
• The SamSam ransomware was found killing security processes like those of Symantec and CylancePROTECT.
• The FIN7 threat group used a tool called BITSADMIN to disable Windows Defender on targeted systems.

Detecting Security Tool Tampering - While disabling security tools aims to evade detection, there are still ways to identify such activity:

1. Monitor process creation and termination events for signs of security software being killed.
2. Watch for unauthorized modifications to configuration files, registry keys, or scheduled tasks related to security tools.
3. Leverage security information and event management (SIEM) solutions to correlate and analyze logs for suspicious patterns.
4. Implement application control policies to restrict execution of unauthorized binaries or scripts targeting security tools.

Mitigating the Threat - To mitigate the risk of security tools being disabled, organizations should consider the following measures:

1. Deploy security solutions with tamper protection, self-healing capabilities, and robust update mechanisms.
2. Implement application whitelisting and strict execution policies to prevent unauthorized modification or termination of security processes.
3. Leverage virtualization or containerization to isolate and protect security tools from the main operating environment.
4. Regularly audit and review security tool configurations, logs, and update status for anomalies.
5. Provide security awareness training to educate users on the risks of disabling security tools and the potential consequences.

By adopting a defense-in-depth approach and staying vigilant against attempts to disable security tools, organizations can enhance their resilience against this evasive attack technique and maintain a strong security posture.

Most Common MITRE Att&ck Techniques