Uninstall System Defense Software T1562.001 v2

Written By Jeremy Pickett
The best way to get management excited about a disaster plan is to burn down the building across the street.
— Dan Erwin, Security Officer

T1562.001 is a technique within the MITRE ATT&CK framework that describes the act of disabling or modifying security tools, such as antivirus software, endpoint detection and response (EDR) systems, firewalls, or other protective mechanisms, to evade detection and facilitate further malicious activity. Attackers leverage this technique to weaken a target's defenses, making it easier for their malware or other malicious actions to go undetected.

These steps are a basic steps for remediation for Windows, OSX, Linux, AWS, GCP, and Azure. As tool change, remediation advice changes. This entry maps to the MITRE code referenced in the entry. Please check back regularly for updates to this library entry.

The Evolution of System Defense Evasion: A Chronicle of Notable Attacks

In the ever-evolving landscape of cybersecurity, one technique has consistently proven to be a formidable weapon in the arsenal of threat actors: the disabling or uninstallation of security software. This method, classified as T1562.001 in the MITRE ATT&CK framework, has been a crucial component in numerous high-profile cyber attacks. By compromising the very systems designed to protect digital assets, attackers can operate with increased stealth and efficiency, often prolonging their intrusions and maximizing damage.

The NotPetya Watershed: A Turning Point in Cyber Warfare

June 2017 marked a significant milestone in the history of cyber attacks with the emergence of NotPetya. Initially disguised as a variant of the Petya ransomware, NotPetya quickly revealed itself to be a far more insidious threat. Leveraging potent SMB exploits like EternalBlue and EternalRomance, this malware morphed into a destructive wiper capable of rendering entire networks inoperable.

What set NotPetya apart was its sophisticated approach to system defense evasion. The malware employed a multi-pronged strategy:

  1. It utilized scheduled tasks to execute itself, ensuring persistence even after system reboots.

  2. More critically, it systematically attempted to uninstall various antivirus components, effectively dismantling the target's security infrastructure.

This attack not only caused billions of dollars in damages globally but also highlighted the critical importance of robust, multi-layered security measures that go beyond traditional antivirus solutions.

State-Sponsored Actors: The Silent Predators

The realm of state-sponsored cyber espionage has been particularly adept at leveraging system defense evasion techniques. The 2016 Democratic National Committee (DNC) hack, attributed to the Russian intelligence-associated group APT29 (also known as Cozy Bear), serves as a prime example.

In this sophisticated operation, APT29 demonstrated an advanced understanding of security software evasion:

  • They utilized administrative tools to systematically uninstall security software across the compromised network.

  • This allowed them to maintain prolonged access, exfiltrating sensitive data over an extended period.

The incident not only had significant political ramifications but also underscored the advanced capabilities of state-sponsored threat actors in bypassing even well-defended networks.

Operation Soft Cell: A Testament to Persistence

Between 2018 and 2019, the cybersecurity community witnessed Operation Soft Cell, a prolonged campaign targeting major telecommunications companies worldwide. This operation, notable for its persistence, showcased the evolving tactics of system defense evasion:

  • Attackers disabled Windows Defender, a built-in security feature, across compromised systems.

  • They systematically dismantled other defense mechanisms, creating a vulnerable environment ripe for exploitation.

The operation's success in maintaining access for nearly two years highlighted the critical need for continuous security monitoring and the importance of defense-in-depth strategies.

The Lazarus Group: Masters of Evasion

No discussion of system defense evasion would be complete without mentioning the Lazarus Group, a North Korean state-sponsored entity notorious for its diverse and impactful campaigns. From the headline-grabbing Sony Pictures hack in 2014 to the global WannaCry ransomware attack in 2017, the Lazarus Group has consistently demonstrated advanced evasion tactics:

  • They routinely employ custom tools designed to disable a wide range of security software.

  • Their malware often includes modules specifically crafted to seek out and neutralize antivirus processes.

The group's ability to operate undetected for extended periods has made them one of the most feared threat actors in the cybersecurity landscape.

Technical Sophistication: The Tools of the Trade

The techniques employed in these attacks reveal a high level of technical sophistication:

  1. Credential Stuffing and Privilege Escalation: Attackers often begin by obtaining valid credentials, either through phishing or by exploiting known vulnerabilities. With elevated privileges, they can then disable security software at will.

  2. Automation through Scripts and Scheduled Tasks: As seen with NotPetya, attackers frequently automate the process of disabling security measures, ensuring rapid and comprehensive coverage across entire networks.

  3. Registry Modifications: By altering key entries in the Windows Registry, attackers can disable core security features, often without triggering immediate alerts.

  4. Command-Line Tools: Utilities like net stop for halting services, wmic for managing Windows installations, and PsExec for remote execution are frequently weaponized to disable defenses across networks.

Conclusion: The Imperative of Adaptive Security

The chronicle of these attacks underscores a crucial reality in modern cybersecurity: the battlefield is constantly shifting. As defenders develop more sophisticated security measures, attackers invariably find new ways to circumvent them. The ability to disable or uninstall security software remains a powerful tool in the arsenal of cyber adversaries, from lone hackers to state-sponsored groups.

For organizations and security professionals, this history serves as both a warning and a call to action. It highlights the need for:

  • Multi-layered, resilient security architectures that can withstand the compromise of any single component.

  • Continuous monitoring and rapid response capabilities to detect and mitigate evasion attempts.

  • Regular security assessments and penetration testing to identify and address vulnerabilities before they can be exploited.

  • Ongoing education and training to keep security teams abreast of the latest evasion techniques and countermeasures.

Remediation: On-Prem

windows

Identify Uninstalled Software:

  • Use Event Viewer: Event Viewer > Windows Logs > Application (Event ID 11724)

  • Check with PowerShell:

    Get-WmiObject -Query "SELECT * FROM Win32_Product"

Reinstall System Defense Software:

  • Download and install from the vendor's website.

Audit System Integrity:

  • Run System File Checker:

    sfc /scannow

  • Check Windows Defender status:

    Get-MpComputerStatus

Implement Group Policy to Prevent Uninstallation:

  • Open Group Policy Editor: gpedit.msc

  • Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Installer

  • Enable "Disable Windows Installer" and set to "Always".

macOS

Check Logs for Uninstall Events:

  • Use Console application and search system.log for uninstall entries.

Reinstall Security Software:

  • Download and install from an official source.

Verify System Integrity:

  • Check SIP status:

    csrutil status

  • Enable SIP in Recovery Mode if necessary:

    csrutil enable

Restrict Administrative Privileges:

  • Use Parental Controls or MDM to restrict admin privileges.

linux

Review System Logs for Uninstall Actions:

  • Check /var/log directory:

    sudo grep -i 'remove' /var/log/syslog

Reinstall Security and Defense Tools:

  • Use package manager:

    sudo apt-get install <package-name>
    sudo yum install <package-name>

Ensure Configuration Consistency:

  • Use auditd to monitor system activity and configure defense tools.

Restrict Package Manager Access:

  • Change permissions on package managers:

    sudo chmod 700 /usr/bin/apt

Remediation: Cloud

Amazon aWS

Check CloudTrail Logs:

  • Use CloudTrail Console and filter for uninstall events.

Reinforce Security Policies:

  • Use AWS Config for compliance and auto-reinstall missing defense software.

Use AWS Systems Manager:

  • Automate installation and configuration across EC2 instances.

Set up IAM Policies:

  • Restrict permissions for uninstalling software via IAM roles and policies.

Google GCP

Investigate Stackdriver Logs:

  • Review logs for uninstall actions using Google Cloud Logging.

Audit and Remediate:

  • Use Cloud Asset Inventory for compliance checks.

Implement Org Policies:

  • Restrict uninstallation of critical security software.

Automate Remediation:

  • Use Cloud Functions or Deployment Manager scripts for auto-reinstallation.

Azure

Review Activity Logs:

  • Check Azure Activity Logs and use log queries for specific events.

Reapply Security Baselines:

  • Use Azure Security Center recommendations to address missing defense software.

Azure Automation:

  • Create runbooks for automatic reinstallation of necessary software.

Control Access with RBAC:

  • Implement RBAC to limit the ability to uninstall applications or modify configurations.

Jeremy Pickett
Previous

Boot or Logon Initialization Scripts (T1037)
Next

Browser Extensions (T1176) v2