Generally, organizations such as institutes and companies use various security products to prevent security threats. For endpoint systems alone, there are not only anti-malware solutions, but also firewalls, APT defense solutions and products such as EDR. Even in general user environments without separate organization responsible for security, most of them have basic security products installed. For example, most of the users with latest Windows OS automatically have anti-malware product such as Microsoft Defender installed.
As most users nowadays have security products installed on their PCs, threat actors often attempt to disable the security products after initial access. This applies not only to APT attackers but also to attacks targeting poorly managed systems, such as ransomware attackers targeting RDP services and DB servers.
The best and the simplest way for the threat actor to uninstall the security product, but products usually require a password to remove, or do not allow uninstallation. Thus, threat actors attempt to deactivate security products using various tools. The problem is that many of the tools used in the process are not malware strains, but those that can also be used for legitimate purposes.
For example, threat actors often use tools such as Process Hacker and GMER to disable security products. Because these tools are frequently used for legitimate purposes, they are impossible to detect and block with anti-malware products.
AhnLab EDR (Endpoint Detection and Response) is a next-generation threat detection and response solution, providing powerful threat monitoring, analysis, and response capabilities for endpoint areas based on Korea’s only self-behavior-based engine. AhnLab EDR constantly collects information on suspicious behaviors by type and allows the user to precisely perceive threats from a detection, analysis, and response perspective. Through comprehensive analyses based on this, the user can identify the cause, respond adequately, and establish recurrence-prevention processes.
This report covers cases of threat actors’ security product incapacitation techniques in the defense evasion stage of attacks that can be detected with AhnLab EDR, allowing the administrator to become aware of the attack in advance, identify the cause, and respond accordingly.
1. Defender Control
Defender Control is a tool that can deactivate Microsoft Defender.
There are many cases where users intentionally install Defender Control to disable Microsoft Defender, but it gets detected and blocked by the anti-malware solution since Defender Control’s one of the main features is blocking specific product. Defender Control is being used in many attacks, and they were used in Lockis ransomware attack [1] and the Mimic ransomware attacks [2] which had been covered on the ASEC Blog.
Figure 1. Defender Control installed by the Mimic ransomware threat actor
When Defender Control tries to disable Microsoft Defender, AhnLab EDR detects this behavior and categorizes it as a threat so that the manager can notice it in advance.
Figure 2. Detection logs of Defender Control execution
2. HRSword
HRSword is developed by Beijing Huorong Network Technology and is a tool that can be used to monitor systems such as processes, files, registries, and networks to diagnose the system. As one of the feature that is supports is force-terminating certain process, various threat actors such as Masscan ransomware attack group [3] (This link is available in Korean only) and the CAMARO DRAGON APT group [4] is using this tool.
Figure 3. HRSword tool that supports process force-termination
AhnLab EDR detects the behavior of a threat actor using Huorong’s HRSword to disable security products as a threat and helps the administrator to become aware of it in advance, as shown below.
Figure 4. Detection logs of HRSword execution
3. Process Hacker
Like Process Explorer, Process Hacker shows the list of currently running processes and offers various features such as looking up related information and process control. As many users use Process Hacker, there are also numerous cases of attacks where it is exploited for the purpose of disabling security products.
For example, a case where the Lapsus$ threat actor, who attacked Okta in the past, having used Process Hacker was disclosed [5] and various other threat actors such as LockBit Ransomware [6] and Phobos Ransomware [7] are also taking advantage of the tool. Another case, involving the Hakuna Matata ransomware operator [8] having installed Process Hacker alongside various other tools, was covered on the ASEC Blog in the past.
Figure 5. Tools additionally installed by the threat actors
AhnLab EDR detects the behavior of a threat actor executing Process Hacker as a key behavior as shown below, helping the administrator identify the cause, respond appropriately, and establish recurrence-prevention processes.
Figure 6. Detection logs of Process Hacker execution
4. GMER
GMER is an anti-rootkit tool that finds concealed processes, services, file, registries, and drivers. These tools characteristically operate at a high privilege level to support features such as force-terminating suspicious processes or force-deleting files. Accordingly, various threat actors such as LockBit [9], Royal [10], and Ryuk Ransomware [11] have exploited GMER to deactivate security products.
Figure 7. GMER tool that supports process lookup and termination features
AhnLab EDR detects the behavior of a threat actor executing GMER as a key behavior as shown below, helping the administrator identify the cause, respond appropriately, and establish recurrence-prevention processes.
Figure 8. Detection logs of GMER execution
5. Conclusion
Threat actors exploit tools such as HRSword, Process Hacker, and GMER to evade security products that detect malware and suspicious behaviors. Because these tools are those that can be used by ordinary users for legitimate purposes, there are limits to detecting and blocking these with just anti-malware products.
AhnLab EDR detects tools used in the defense evasion stage as threats and key behaviors, allowing the administrator to become aware of these in advance. Based on this, the administrator can identify the cause and respond appropriately. Even after being exposed to a ransomware attack, they can also review the data from the affected system needed to investigate the infiltration incident as evidentiary data on the threat actor.
Behavior Detection
– DefenseEvasion/EDR.dControl.M11216
– Execution/EDR.HRSword.M11640
– Execution/DETECT.ProcHacker.M11647
– Execution/EDR.GMER.M11645
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.
The post Defense Evasion Techniques Detected by AhnLab EDR appeared first on ASEC BLOG.
Article Link: Defense Evasion Techniques Detected by AhnLab EDR - ASEC BLOG