Keypoints
- Threat actors commonly use legitimate tools to disable or terminate security products rather than custom malware, complicating detection.
- Tools observed in attacks include Defender Control (disables Microsoft Defender), HRSword (process/file/registry monitoring and forced termination), Process Hacker (process control), and GMER (anti-rootkit with high-privilege termination features).
- These utilities have been used by known groups and incidents such as Lockis, Mimic, Lapsus$, LockBit, Phobos, CAMARO DRAGON, and others.
- Because the tools serve legitimate purposes, traditional anti-malware solutions may not reliably block them, enabling defense-evasion.
- AhnLab EDR detects the behaviors of executing or using these tools and classifies them with behavior-based detections (e.g., DefenseEvasion/EDR.dControl.M11216, Execution/EDR.HRSword.M11640, DETECT.ProcHacker.M11647, EDR.GMER.M11645).
- EDR detections provide logs and contextual data that let administrators identify causes, respond, and collect evidentiary data for investigations.
MITRE Techniques
- [T1562] Impair Defenses – Used to disable endpoint protection and related security products: ‘This report covers cases of threat actors’ security product incapacitation techniques in the defense evasion stage of attacks that can be detected with AhnLab EDR.’
- [T1059] Command and Scripting Interpreter (Execution) – Execution of legitimate administrative/diagnostic tools to terminate security processes and modify system state: ‘AhnLab EDR detects the behavior of a threat actor executing Process Hacker as a key behavior…’
Indicators of Compromise
- [Tool/utility names] used to disable defenses – Defender Control, Process Hacker, and other tools (GMER, HRSword)
- [EDR detection labels] behavior detections observed – DefenseEvasion/EDR.dControl.M11216, Execution/EDR.HRSword.M11640, DETECT.ProcHacker.M11647, EDR.GMER.M11645
- [URLs] reference/source – https://asec.ahnlab.com/en/63145/, https://www.ahnlab.com/en
Threat actors routinely leverage legitimate admin and diagnostic utilities to incapacitate endpoint defenses rather than relying solely on custom malware. Commonly observed tools—Defender Control (to disable Microsoft Defender), HRSword (monitoring and forced process termination), Process Hacker (process inspection and control), and GMER (anti-rootkit with force-delete/termination features)—are executed with elevated privileges to stop security services or kill protection processes. Because these utilities have valid administrative uses, signature-based anti-malware often cannot block them without causing false positives.
AhnLab EDR addresses this by monitoring behavioral indicators associated with these tools and flagging them as suspicious or malicious when used in the context of defense-evasion. Detections are mapped to behavior labels (examples: DefenseEvasion/EDR.dControl.M11216, Execution/EDR.HRSword.M11640, DETECT.ProcHacker.M11647, EDR.GMER.M11645), and the EDR logs provide contextual artifacts—process execution traces, command arguments, timestamps, and related registry/file activity—that administrators can use to identify the intrusion vector, respond (quarantine/terminate), and preserve forensic evidence for post-incident investigation.
Operationally, defenders should treat unexpected execution of these utilities, especially on servers or critical endpoints, as high-risk: block or restrict their use via application control, require administrative approval, and configure EDR policies to alert on tool behavior patterns (process termination of security services, driver manipulation, high-privilege file deletion). Combining application allowlists, privileged access controls, and behavior-based EDR detection reduces the risk that legitimate tools will be repurposed for defense-evasion.
Read more: https://asec.ahnlab.com/en/63145/