Disable Av

Date: 2021-10-18 ID: bedd30e3-3a7a-4ba3-8138-4f1d9c9dfadb Author: Teoderick Contreras Environment: attack_range Directory: disable_av

Description

icedid disable windows defender malware in attack range name.

No MITRE techniques specified for this dataset.

The following datasets were collected during this attack simulation:

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Disable Defender BlockAtFirstSeen Feature	`TTP`	Endpoint	T1562.001	Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
Disable Defender Enhanced Notification	`TTP`	Endpoint	T1562.001	Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
Disable Defender Submit Samples Consent Feature	`TTP`	Endpoint	T1562.001	Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
Disable Defender Spynet Reporting	`TTP`	Endpoint	T1562.001	Azorult, Windows Registry Abuse, Qakbot, IcedID, CISA AA23-347A
Disable Defender AntiVirus Registry	`TTP`	Endpoint	T1562.001	Windows Registry Abuse, CISA AA24-241A, IcedID, Black Basta Ransomware, Cactus Ransomware
Disable Defender MpEngine Registry	`TTP`	Endpoint	T1562.001	IcedID, Windows Registry Abuse
Disabling Defender Services	`TTP`	Endpoint	T1562.001	IcedID, Windows Registry Abuse, RedLine Stealer
Wmic NonInteractive App Uninstallation	`Hunting`	Endpoint	T1562.001	IcedID, Azorult

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/malware/icedid/disable_av/sysmon2.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0