Disable Security Tools

calendar Oct 25, 2022 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedin copy

Detects disabling security tools

Sigma rule (View on GitHub)

 1title: Disable Security Tools
 2id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
 3status: test
 4description: Detects disabling security tools
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 7author: Daniil Yugoslavskiy, oscd.community
 8date: 2020/10/19
 9modified: 2021/11/27
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    category: process_creation
15    product: macos
16detection:
17    launchctl_unload:
18        Image: '/bin/launchctl'
19        CommandLine|contains: 'unload'
20    security_plists:
21        CommandLine|contains:
22            - 'com.objective-see.lulu.plist'                     # Objective-See firewall management utility
23            - 'com.objective-see.blockblock.plist'               # Objective-See persistence locations watcher/blocker
24            - 'com.google.santad.plist'                          # google santa
25            - 'com.carbonblack.defense.daemon.plist'             # carbon black
26            - 'com.carbonblack.daemon.plist'                     # carbon black
27            - 'at.obdev.littlesnitchd.plist'                     # Objective Development Software firewall management utility
28            - 'com.tenablesecurity.nessusagent.plist'            # Tenable Nessus
29            - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
30            - 'com.crowdstrike.falcond.plist'                    # Crowdstrike Falcon
31            - 'com.crowdstrike.userdaemon.plist'                 # Crowdstrike Falcon
32            - 'osquery'                                          # facebook osquery
33            - 'filebeat'                                         # elastic log file shipper
34            - 'auditbeat'                                        # elastic auditing agent/log shipper
35            - 'packetbeat'                                       # elastic network logger/shipper
36            - 'td-agent'                                         # fluentd log shipper
37    disable_gatekeeper:
38        Image: '/usr/sbin/spctl'
39        CommandLine|contains: 'disable'
40    condition: (launchctl_unload and security_plists) or disable_gatekeeper
41falsepositives:
42    - Legitimate activities
43level: medium

References

Related rules

to-top