hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at disabling security tools,
so the objectives of today's discussion are pretty straightforward.
Again, we're going to describe what this disabling security tools is. We're gonna look at some mitigation techniques and, of course, going to talk detection techniques.
So disabling security tools in short threat actors disabled security tools to avoid detection. So this could be things like killing software services, disabling longing processes and removing registry keys. So to talk about a particular victory quick, there's a tool by the name of backspace,
and it's a backdoor that targets Windows operating systems primarily
associated with a P T. 30 which is a persistent threat group.
You can download and execute various binaries on the impacted system
known to check for host based firewalls, and will make them accept and allow connections out. So that's very tricky. So if you get this particular variant of malware or this particular backdoor on your system
and you're looking for things like disabled firewalls or manipulation, then you may not find it outright. You may have to do some additional digging into the system
So some mitigation techniques here ensured that file process and registry permissions air in place to prevent threat actors from disabling services and so ensure that in users are set up to use lease privilege in the environment. So both of these things go hand in hand,
making sure that in users have limited permission sets
to accomplish their tasks in their jobs is one thing. But also ensuring that systems have limited permission and permission that is only required for them to do their tasks and jobs
is something that we should be looking at and doing as well. If a system has privilege, that is an excess of what it means to accomplish it go its goals and a threat Actor finds that they could potentially use that to their advantage.
So some detection techniques here process and command line arguments should be monitored for suspicious activity, like services that were killed registry at its things of that nature that aren't in the standard day to day for the system, removal of or gaps in long
or event files. And so that's always a suspicious thing, especially if you're collecting system logs all the time.
Ah, and you get a huge gap, or even a smaller gap a few hours of a gap in the systems collection process that could be worth noting and scratching your head and and maybe investigating that to see if something was manipulated or done to that system.
So let's do a quick check on learning true or false disabling tools is away. The troubleshoot system issues in the minor attack framework.
All right, well, if you need additional time, please pause the video and take it now. Disabling tools is definitely a way to troubleshoot
system issues, but in the miter attack framework, that is not the case. This is a false statement based on the information that we're providing in this particular statement.
we looked at what disabling security tools means killing services again registry. And it's doing things to make sure that tools are not functioning as they should. We describe some mitigation techniques,
and we looked at some detection techniques again. One of the big themes here being limiting system permissions and user permissions can help us to
mitigate risk and reduce the impact that a threat actor may have on our systems or their ability to impact our systems. So with that in mind, I want to thank you for your time today. And I look forward to seeing you again soon.