Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Отключение или перенастройка средств защиты
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Отключение или перенастройка с...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Impair Defenses:  Отключение или перенастройка средств защиты

ID Название
.001 Отключение или перенастройка средств защиты
.002 Отключение журналирования событий Windows
.003 Повреждение журнала истории команд
.004 Отключение или перенастройка системного межсетевого экрана
.006 Блокировка сбора признаков активности
.007 Отключение или перенастройка облачного межсетевого экрана
.008 Disable or Modify Cloud Logs
.009 Загрузка в безопасном режиме
.010 Атака через понижение версии
.011 Spoof Security Alerting
.012 Disable or Modify Linux Audit System

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)

ID: T1562.001
Относится к технике:  T1562
Тактика(-и): Defense Evasion
Платформы: Containers, IaaS, Linux, macOS, Network, Windows
Источники данных: Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Версия: 1.5
Дата создания: 21 Feb 2020
Последнее изменение: 12 Apr 2024

Примеры процедур
Название Описание
RunningRAT

RunningRAT kills antimalware running process.(Citation: McAfee Gold Dragon)
SUNBURST

SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.(Citation: FireEye SUNBURST Additional Details Dec 2020)
INC Ransom

INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender.(Citation: Huntress INC Ransomware May 2024)
Diavol

Diavol can attempt to stop security software.(Citation: Fortinet Diavol July 2021)
TA2541

TA2541 has attempted to disable built-in security protections such as Windows AMSI. (Citation: Proofpoint TA2541 February 2022)
H1N1

H1N1 kills and disables services for Windows Security Center, and Windows Defender.(Citation: Cisco H1N1 Part 2)
Turla

Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.(Citation: ESET Turla PowerShell May 2019)
Ryuk

Ryuk has stopped services related to anti-virus.(Citation: FireEye Ryuk and Trickbot January 2019)
Netwalker

Netwalker can detect and terminate active security software-related processes on infected systems.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020)

KV Botnet Activity used various scripts to remove or disable security tools, such as http_watchdog and firewallsd, as well as tools related to other botnet infections, such as mips_ff, on victim devices.(Citation: Lumen KVBotnet 2023)
SILENTTRINITY

SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions.(Citation: GitHub SILENTTRINITY Modules July 2019)
REvil

REvil can connect to and disable the Symantec server on the victim's network.(Citation: Cylance Sodinokibi July 2019)
Cobalt Strike

Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)
POWERSTATS

POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.(Citation: FireEye MuddyWater Mar 2018)
LockerGoga

LockerGoga installation has been immediately preceded by a "task kill" command in order to disable anti-virus.(Citation: Wired Lockergoga 2019)
ChChes

ChChes can alter the victim's proxy configuration.(Citation: PWC Cloud Hopper Technical Annex April 2017)
Agrius

Agrius used several mechanisms to try to disable security tools. Agrius attempted to modify EDR-related services to disable auto-start on system reboot. Agrius used a publicly available driver, GMER64.sys typically used for anti-rootkit functionality, to selectively stop and remove security software processes.(Citation: Unit42 Agrius 2023)
Avaddon

Avaddon looks for and attempts to stop anti-malware solutions.(Citation: Arxiv Avaddon Feb 2021)
Ebury

Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.(Citation: ESET Ebury Oct 2017)
WhisperGate

WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)
MuddyWater

MuddyWater can disable the system's local proxy settings.(Citation: Trend Micro Muddy Water March 2021)
Clop

Clop can uninstall or disable security products.(Citation: Cybereason Clop Dec 2020)
NanHaiShu

NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.(Citation: Proofpoint Leviathan Oct 2017)
Carberp

Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.(Citation: Prevx Carberp March 2011)
ZIPLINE

ZIPLINE can add itself to the exclusion list for the Ivanti Connect Secure Integrity Checker Tool if the `--exclude` parameter is passed by the `tar` process.(Citation: Mandiant Cutting Edge January 2024)
WarzoneRAT

WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.(Citation: Check Point Warzone Feb 2020)

During the SolarWinds Compromise, APT29 used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021)
JPIN

JPIN can lower security settings by changing Registry keys.(Citation: Microsoft PLATINUM April 2016)
Indrik Spider

Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.(Citation: Symantec WastedLocker June 2020) Indrik Spider has used `MpCmdRun` to revert the definitions in Microsoft Defender.(Citation: Mandiant_UNC2165) Additionally, Indrik Spider has used WMI to stop or uninstall and reset anti-virus products and other defensive services.(Citation: Mandiant_UNC2165)
Ember Bear

Ember Bear has executed a batch script designed to disable Windows Defender on a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
MegaCortex

MegaCortex was used to kill endpoint security processes.(Citation: IBM MegaCortex)
Bazar

Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.(Citation: NCC Group Team9 June 2020)

Pysa

Pysa has the capability to stop antivirus services and disable Windows Defender.(Citation: CERT-FR PYSA April 2020)

MultiLayer Wiper

MultiLayer Wiper removes the Volume Shadow Copy (VSS) service from infected devices along with all present shadow copies.(Citation: Unit42 Agrius 2023)
StrongPity

StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.(Citation: Talos Promethium June 2020)
Play

Play has used tools including GMER, IOBit, and PowerTool to disable antivirus software.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

DarkGate

DarkGate will terminate processes associated with several security software products if identified during execution.(Citation: Ensilo Darkgate 2018)
TeamTNT

TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)
FIN6

FIN6 has deployed a utility script named kill.bat to disable anti-virus.(Citation: FireEye FIN6 Apr 2019)
HDoor

HDoor kills anti-virus found on the victim.(Citation: Baumgartner Naikon 2015)
TA505

TA505 has used malware to disable Windows Defender.(Citation: Korean FSI TA505 2020)
Gamaredon Group

Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.(Citation: ESET Gamaredon June 2020)

Hildegard

Hildegard has modified DNS resolvers to evade DNS monitoring tools.(Citation: Unit 42 Hildegard Malware)
Grandoreiro

Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.(Citation: ESET Grandoreiro April 2020)
Raspberry Robin

Raspberry Robin can add an exception to Microsoft Defender that excludes the entire main drive from anti-malware scanning to evade detection.(Citation: HP RaspberryRobin 2024)
Night Dragon

Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.(Citation: McAfee Night Dragon)
KOCTOPUS

KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.(Citation: MalwareBytes LazyScripter Feb 2021)
Meteor

Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.(Citation: Check Point Meteor Aug 2021)
Goopy

Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.(Citation: Cybereason Cobalt Kitty 2017)

ThiefQuest

ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.(Citation: wardle evilquest parti)
TrickBot

TrickBot can disable Windows Defender.(Citation: Trend Micro Trickbot Nov 2018)
BRONZE BUTLER

BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.(Citation: Trend Micro Tick November 2019)
RobbinHood

RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.(Citation: CarbonBlack RobbinHood May 2019)

Gorgon Group

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.(Citation: Unit 42 Gorgon Group Aug 2018)
Putter Panda

Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).(Citation: CrowdStrike Putter Panda)
Magic Hound

Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.(Citation: DFIR Report APT35 ProxyShell March 2022)
Aquatic Panda

Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.(Citation: CrowdStrike AQUATIC PANDA December 2021)
Babuk

Babuk can stop anti-virus services on a compromised host.(Citation: Sogeti CERT ESEC Babuk March 2021)
Metamorfo

Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)

During HomeLand Justice, threat actors modified and disabled components of endpoint detection and response (EDR) solutions including Microsoft Defender Antivirus.(Citation: Microsoft Albanian Government Attacks September 2022)
Gold Dragon

Gold Dragon terminates anti-malware processes if they’re found running on the system.(Citation: McAfee Gold Dragon)
EKANS

EKANS stops processes related to security and management software.(Citation: Dragos EKANS)(Citation: FireEye Ransomware Feb 2020)
Lazarus Group

Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018).

Egregor

Egregor has disabled Windows Defender to evade protections.(Citation: Intrinsec Egregor Nov 2020)
APT29

APT29 used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021)
Ember Bear

Ember Bear uses the NirSoft AdvancedRun utility to disable Microsoft Defender Antivirus through stopping the WinDefend service on victim machines. Ember Bear disables Windows Defender via registry key changes.(Citation: Cadet Blizzard emerges as novel threat actor)
SslMM

SslMM identifies and kills anti-malware processes.(Citation: Baumgartner Naikon 2015)
Agent Tesla

Agent Tesla has the capability to kill any running analysis processes and AV software.(Citation: Fortinet Agent Tesla June 2017)
TinyZBot

TinyZBot can disable Avira anti-virus.(Citation: Cylance Cleaver)
DarkComet

DarkComet can disable Security Center functions like anti-virus.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)
ZxShell

ZxShell can kill AV products' processes.(Citation: Talos ZxShell Oct 2014)

NanoCore

NanoCore can modify the victim's anti-virus.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)
Kimsuky

Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)
Conficker

Conficker terminates various services related to system security and Windows.(Citation: SANS Conficker)
Rocke

Rocke used scripts which detected and uninstalled antivirus software.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)
Ragnar Locker

Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.(Citation: Sophos Ragnar May 2020)
UNC2452

UNC2452 used the service control manager on a remote system to disable services associated with security monitoring products.(Citation: Microsoft Deep Dive Solorigate January 2021)
Donut

Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.(Citation: Donut Github)

Saint Bear

Saint Bear will modify registry entries and scheduled task objects associated with Windows Defender to disable its functionality.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Wizard Spider

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021)
Maze

Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.(Citation: McAfee Maze March 2020) It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.(Citation: Sophos Maze VM September 2020)

During Cutting Edge, threat actors disabled logging and modified the `compcheckresult.cgi` component to edit the Ivanti Connect Secure built-in Integrity Checker exclusion list to evade detection.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)
macOS.OSAMiner

macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system's `install.log` for apps matching its hardcoded list, killing all matching process names.(Citation: SentinelLabs reversing run-only applescripts 2021)
Proton

Proton kills security tools like Wireshark that are running.(Citation: objsee mac malware 2017)
Skidmap

Skidmap has the ability to set SELinux to permissive mode.(Citation: Trend Micro Skidmap)

During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry internet settings to lower internet security. (Citation: Booz Allen Hamilton)
Brave Prince

Brave Prince terminates antimalware processes.(Citation: McAfee Gold Dragon)
QakBot

QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.(Citation: Group IB Ransomware September 2020)

During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.(Citation: McAfee Night Dragon)
Unknown Logger

Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.(Citation: Forcepoint Monsoon)
Bundlore

Bundlore can change browser security settings to enable extensions to be installed. Bundlore uses the pkill cfprefsd command to prevent users from inspecting processes.(Citation: MacKeeper Bundlore Apr 2019)(Citation: 20 macOS Common Tools and Techniques)
Imminent Monitor

Imminent Monitor has a feature to disable Windows Task Manager.(Citation: Imminent Unit42 Dec2019)

Контрмеры
Контрмера Описание
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.
Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Обнаружение

Monitor processes and command-line arguments to see if security tools/services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Monitoring for changes to other known features used by deployed security tools may also expose malicious activity. Lack of expected log events may be suspicious.

Ссылки

  1. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  2. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  3. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  4. Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022.
  5. Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.
  6. MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.
  7. Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022.
  8. Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022.
  9. Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022.
  10. Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022.
  11. Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.
  12. de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.
  13. ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.
  14. Guillaume Lovet and Alex Kong. (2023, March 9). Analysis of FG-IR-22-369. Retrieved May 15, 2023.
  15. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  16. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021.
  17. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
  18. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  19. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  20. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  21. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  22. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  23. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  24. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  25. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  26. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  27. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  28. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  29. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  30. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  31. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019.
  32. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  33. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  34. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  35. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  36. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  37. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  38. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  39. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  40. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  41. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  42. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  43. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  44. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  45. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  46. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  47. Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024.
  48. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  49. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  50. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  51. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  52. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  53. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  54. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  55. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  56. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  57. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  58. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  59. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  60. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  61. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  62. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  63. Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
  64. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  65. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  66. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  67. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.
  68. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  69. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  70. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.
  71. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  72. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  73. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  74. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  75. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  76. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  77. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  78. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  79. Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
  80. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.
  81. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.
  82. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  83. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  84. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  85. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  86. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  87. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  88. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  89. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  90. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  91. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  92. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  93. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  94. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  95. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  96. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  97. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  98. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  99. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  100. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  101. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  102. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  103. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  104. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  105. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  106. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  107. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  108. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  109. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
  110. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  111. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  112. Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
  113. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  114. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  115. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  116. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  117. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  118. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.