“How Ransomhub Ransomware Disables EDR and Antivirus Protections with EDRKillShifter”

MITRE Techniques

• [T1078.002] Valid Accounts: Domain Accounts – Used for gaining initial access through legitimate credentials. “a single compromised user account was primarily responsible for most malicious activities, indicating that it was the principal entry point”.
• [T1210] Exploitation of Remote Services – Exploits vulnerabilities in remote services for access. “Zerologon vulnerability (CVE-2020-1472)”.
• [T1569.002] Service Execution – Executes services to run malicious payloads. “Executes services to run malicious payloads.”.
• [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – Bypasses UAC to gain elevated privileges. “Bypasses UAC to gain elevated privileges.”.
• [T1562.001] Impair Defenses: Disable or Modify Tools – Disables security tools to evade detection. “Disables security tools to evade detection.”.
• [T1222.001] Windows File and Directory Permissions Modification – Modifies permissions to access sensitive files. “Modifies permissions to access sensitive files.”.
• [T1070.001] Clear Windows Event Logs – Erases logs to cover tracks of malicious activities. “Erases logs to cover tracks of malicious activities.”.
• [T1562.009] Safe Mode Boot – Boots in safe mode to avoid detection by security tools. “Boots in safe mode to avoid detection by security tools.”.
• [T1110] Brute Force – Employs brute force techniques to gain access. “Employs brute force techniques to gain access.”.
• [T1003.001] OS Credential Dumping: LSASS Memory – Extracts credentials from LSASS memory. “Extracts credentials from LSASS memory.”.
• [T1567.002] Exfiltration to Cloud Storage – Transfers stolen data to cloud storage for exfiltration. “Transfers stolen data to cloud storage for exfiltration.”.
• [T1046] Network Service Discovery – Maps out network services for lateral movement. “Maps out network services for lateral movement.”.
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Uses SMB shares for lateral movement within the network. “Uses SMB shares for lateral movement within the network.”.
• [T1486] Data Encrypted for Impact – Encrypts files to extort victims. “Encrypts files to extort victims.”.
• [T1490] Inhibit System Recovery – Deletes backups to prevent recovery. “Deletes backups to prevent recovery from ransomware.”.
• [T1041] Exfiltration Over C2 Channel – Exfiltration over C2 channel. “Exfiltration over C2 Channel” is cited as the tactic.