Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at disabling security tools,
00:10
so the objectives of today's discussion are pretty straightforward.
00:14
Again, we're going to describe what this disabling security tools is. We're gonna look at some mitigation techniques and, of course, going to talk detection techniques.
00:24
So disabling security tools in short threat actors disabled security tools to avoid detection. So this could be things like killing software services, disabling longing processes and removing registry keys. So to talk about a particular victory quick, there's a tool by the name of backspace,
00:44
and it's a backdoor that targets Windows operating systems primarily
00:48
associated with a P T. 30 which is a persistent threat group.
00:54
You can download and execute various binaries on the impacted system
00:59
known to check for host based firewalls, and will make them accept and allow connections out. So that's very tricky. So if you get this particular variant of malware or this particular backdoor on your system
01:11
and you're looking for things like disabled firewalls or manipulation, then you may not find it outright. You may have to do some additional digging into the system
01:22
So some mitigation techniques here ensured that file process and registry permissions air in place to prevent threat actors from disabling services and so ensure that in users are set up to use lease privilege in the environment. So both of these things go hand in hand,
01:38
making sure that in users have limited permission sets
01:42
to accomplish their tasks in their jobs is one thing. But also ensuring that systems have limited permission and permission that is only required for them to do their tasks and jobs
01:55
is something that we should be looking at and doing as well. If a system has privilege, that is an excess of what it means to accomplish it go its goals and a threat Actor finds that they could potentially use that to their advantage.
02:08
So some detection techniques here process and command line arguments should be monitored for suspicious activity, like services that were killed registry at its things of that nature that aren't in the standard day to day for the system, removal of or gaps in long
02:24
or event files. And so that's always a suspicious thing, especially if you're collecting system logs all the time.
02:31
Ah, and you get a huge gap, or even a smaller gap a few hours of a gap in the systems collection process that could be worth noting and scratching your head and and maybe investigating that to see if something was manipulated or done to that system.
02:47
So let's do a quick check on learning true or false disabling tools is away. The troubleshoot system issues in the minor attack framework.
02:59
All right, well, if you need additional time, please pause the video and take it now. Disabling tools is definitely a way to troubleshoot
03:08
system issues, but in the miter attack framework, that is not the case. This is a false statement based on the information that we're providing in this particular statement.
03:21
So in summary,
03:22
we looked at what disabling security tools means killing services again registry. And it's doing things to make sure that tools are not functioning as they should. We describe some mitigation techniques,
03:36
and we looked at some detection techniques again. One of the big themes here being limiting system permissions and user permissions can help us to
03:45
mitigate risk and reduce the impact that a threat actor may have on our systems or their ability to impact our systems. So with that in mind, I want to thank you for your time today. And I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor