Disabling Security Tools

Hunt Hypothesis

Adversaries may disable security tools to evade detection and maintain persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term threats before they cause significant damage.

Detection Rule

Sigma (Original)

title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: test
description: Detects disabling security tools
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-10-09
tags:
    - attack.defense-evasion
    - attack.t1562.004
logsource:
    category: process_creation
    product: linux
detection:
    selection_iptables_1:
        Image|endswith: '/service'
        CommandLine|contains|all:
            - 'iptables'
            - 'stop'
    selection_iptables_2:
        Image|endswith: '/service'
        CommandLine|contains|all:
            - 'ip6tables'
            - 'stop'
    selection_iptables_3:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
            - 'iptables'
            - 'stop'
    selection_iptables_4:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
            - 'ip6tables'
            - 'stop'
    selection_firewall_1:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
            - 'firewalld'
            - 'stop'
    selection_firewall_2:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
            - 'firewalld'
            - 'disable'
    selection_carbonblack_1:
        Image|endswith: '/service'
        CommandLine|contains|all:
            - 'cbdaemon'
            - 'stop'
    selection_carbonblack_2:
        Image|endswith: '/chkconfig'
        CommandLine|contains|all:
            - 'cbdaemon'
            - 'off'
    selection_carbonblack_3:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
            - 'cbdaemon'
            - 'stop'
    selection_carbonblack_4:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
            - 'cbdaemon'
            - 'disable'
    selection_selinux:
        Image|endswith: '/setenforce'
        CommandLine|contains: '0'
    selection_crowdstrike_1:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
            - 'stop'
            - 'falcon-sensor'
    selection_crowdstrike_2:
        Image|endswith: '/systemctl'
        CommandLine|contains|all:
            - 'disable'
            - 'falcon-sensor'
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "/service" and (TargetProcessCommandLine contains "iptables" and TargetProcessCommandLine contains "stop")) or (TargetProcessName endswith "/service" and (TargetProcessCommandLine contains "ip6tables" and TargetProcessCommandLine contains "stop")) or (TargetProcessName endswith "/chkconfig" and (TargetProcessCommandLine contains "iptables" and TargetProcessCommandLine contains "stop")) or (TargetProcessName endswith "/chkconfig" and (TargetProcessCommandLine contains "ip6tables" and TargetProcessCommandLine contains "stop")) or (TargetProcessName endswith "/systemctl" and (TargetProcessCommandLine contains "firewalld" and TargetProcessCommandLine contains "stop")) or (TargetProcessName endswith "/systemctl" and (TargetProcessCommandLine contains "firewalld" and TargetProcessCommandLine contains "disable")) or (TargetProcessName endswith "/service" and (TargetProcessCommandLine contains "cbdaemon" and TargetProcessCommandLine contains "stop")) or (TargetProcessName endswith "/chkconfig" and (TargetProcessCommandLine contains "cbdaemon" and TargetProcessCommandLine contains "off")) or (TargetProcessName endswith "/systemctl" and (TargetProcessCommandLine contains "cbdaemon" and TargetProcessCommandLine contains "stop")) or (TargetProcessName endswith "/systemctl" and (TargetProcessCommandLine contains "cbdaemon" and TargetProcessCommandLine contains "disable")) or (TargetProcessName endswith "/setenforce" and TargetProcessCommandLine contains "0") or (TargetProcessName endswith "/systemctl" and (TargetProcessCommandLine contains "stop" and TargetProcessCommandLine contains "falcon-sensor")) or (TargetProcessName endswith "/systemctl" and (TargetProcessCommandLine contains "disable" and TargetProcessCommandLine contains "falcon-sensor"))

False Positive Guidance

• Scenario: A system administrator is disabling a legacy endpoint protection tool during a scheduled maintenance window to perform a system update.
  Filter/Exclusion: process.name != "endpoint_protection_service.exe" OR process.parent.name == "task_scheduler.exe"

• Scenario: A security team is performing a controlled test to simulate the disabling of a security tool as part of a penetration test or red team exercise.
  Filter/Exclusion: process.name contains "test_tool" OR process.parent.name == "security_test_launcher.exe"

• Scenario: A scheduled job is configured to temporarily disable a security tool for a specific period to allow for software compatibility testing with a third-party application.
  Filter/Exclusion: process.name contains "compatibility_test_job" OR process.parent.name == "scheduler.exe"

• Scenario: An IT administrator is using a script to disable a security tool on a test machine to troubleshoot an application issue.
  Filter/Exclusion: process.name contains "disable_security_tool_script" OR process.parent.name == "powershell.exe"

• Scenario: A user is running a legitimate system cleanup tool that temporarily disables certain security components to perform a deep scan or system optimization.
  Filter/Exclusion: process.name contains "system_cleanup_tool" OR process.parent.name == "cleanmgr.exe"

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Technique: T1562.004