Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article explains how ransomware operators abuse legitimate low-level utilities such as Process Hacker, IOBit Unlocker, PowerRun, and similar tools to weaken antivirus and endpoint protection. By misusing these signed binaries, attackers can obtain SYSTEM or even kernel-level privileges, steal credentials, and ready the environment for ransomware deployment. The piece highlights how AV neutralization has evolved from basic scripts into bundled capability sets inside modern Ransomware-as-a-Service offerings. It also references real-world ransomware groups that have adopted these methods.
Investigation
The investigation describes a two-step intrusion pattern in which adversaries first use low-level tools for privilege escalation and antivirus evasion, then pivot to credential theft, kernel tampering, and execution of the ransomware payload. Tool activity is mapped to MITRE ATT&CK techniques including T1548.002, T1562.001, and T1003.001. Case examples connect these utilities to ransomware operations such as LockBit 3.0, Phobos, MedusaLocker, and others.
Mitigation
Recommended mitigations include enforcing application allowlisting, watching for large-scale process termination, auditing registry changes that affect antivirus settings, and limiting execution of administrative utilities to approved accounts only. Endpoint protection platforms should also strengthen self-protection controls to resist forced shutdown of security processes and services.
Response
When this behavior is detected, organizations should alert on suspicious AV or EDR process termination, isolate the impacted host, preserve forensic evidence of registry and file changes, and investigate for LSASS access tied to credential theft. Incident response should follow the observed kill chain quickly enough to contain the intrusion before ransomware encryption begins.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef operator fill:#ff9900 %% Action nodes action_initial_access["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/><b>Description</b>: Adversary sends a malicious email attachment that, when opened, drops a bootstrap loader.<br/><b>Technique ID</b>: T1566.001"] class action_initial_access action action_priv_esc["<b>Action</b> – <b>T1548.002 Bypass User Account Control</b><br/><b>Description</b>: Exploit legitimate utilities to bypass UAC and obtain SYSTEM or kernel privileges.<br/><b>Technique ID</b>: T1548.002"] class action_priv_esc action action_defense_evasion["<b>Action</b> – <b>T1562 Impair Defenses</b><br/><b>Description</b>: Terminate or unload antivirus and EDR components to evade detection.<br/><b>Technique ID</b>: T1562"] class action_defense_evasion action action_credential_access["<b>Action</b> – <b>T1003 OS Credential Dumping</b><br/><b>Description</b>: Dump cached credentials from memory using tools such as Mimikatz.<br/><b>Technique ID</b>: T1003"] class action_credential_access action action_persistence["<b>Action</b> – <b>T1112 Modify Registry</b><br/><b>Description</b>: Delete or modify registry keys that launch AV components for persistence removal.<br/><b>Technique ID</b>: T1112"] class action_persistence action action_indicator_removal["<b>Action</b> – <b>T1070.004 File Deletion</b><br/><b>Description</b>: Remove AV logs and other forensic artifacts from disk.<br/><b>Technique ID</b>: T1070.004"] class action_indicator_removal action action_impact["<b>Action</b> – <b>T1486 Data Encrypted for Impact</b><br/><b>Description</b>: Encrypt user files with ransomware payload after gaining SYSTEM rights.<br/><b>Technique ID</b>: T1486"] class action_impact action %% Tool nodes tool_powerrun["<b>Tool</b> – <b>Name</b>: PowerRun<br/><b>Purpose</b>: Execute binaries with elevated privileges"] class tool_powerrun tool tool_wke["<b>Tool</b> – <b>Name</b>: Windows Kernel Explorer (WKE)<br/><b>Purpose</b>: Obtain kernelu2011level execution"] class tool_wke tool tool_ydark["<b>Tool</b> – <b>Name</b>: YDArk<br/><b>Purpose</b>: Elevate to SYSTEM"] class tool_ydark tool tool_process_hacker["<b>Tool</b> – <b>Name</b>: Process Hacker<br/><b>Purpose</b>: Terminate security processes"] class tool_process_hacker tool tool_iobit["<b>Tool</b> – <b>Name</b>: IOBit Unlocker<br/><b>Purpose</b>: Stop AV services"] class tool_iobit tool tool_aukills["<b>Tool</b> – <b>Name</b>: AuKill / ProcessKO<br/><b>Purpose</b>: Kill specific AV processes"] class tool_aukills tool tool_mimikatz["<b>Tool</b> – <b>Name</b>: Mimikatz<br/><b>Purpose</b>: Dump Windows credentials"] class tool_mimikatz tool tool_unlock_it["<b>Tool</b> – <b>Name</b>: Unlock_IT<br/><b>Purpose</b>: Delete AV registry keys and logs"] class tool_unlock_it tool tool_atool["<b>Tool</b> – <b>Name</b>: Atool_ExperModel<br/><b>Purpose</b>: Remove AV startup keys"] class tool_atool tool %% Operator node (optional) op_and1(("AND")) class op_and1 operator %% Flow connections action_initial_access –>|leads_to| action_priv_esc action_priv_esc –>|leads_to| action_defense_evasion action_defense_evasion –>|leads_to| action_credential_access action_credential_access –>|leads_to| action_persistence action_persistence –>|leads_to| action_indicator_removal action_indicator_removal –>|leads_to| action_impact %% Tool usage connections action_priv_esc –>|uses| tool_powerrun action_priv_esc –>|uses| tool_wke action_priv_esc –>|uses| tool_ydark action_defense_evasion –>|uses| tool_process_hacker action_defense_evasion –>|uses| tool_iobit action_defense_evasion –>|uses| tool_aukills action_credential_access –>|uses| tool_mimikatz action_persistence –>|uses| tool_unlock_it action_persistence –>|uses| tool_atool action_indicator_removal –>|uses| tool_unlock_it "
Attack Flow
Detections
Possible Abuse of IObitUnlocker Utility (via process_creation)
View
Suspicious Taskkill Execution (via cmdline)
View
Possible Mimikatz Arguments Detected (via cmdline)
View
Possible TDSSKiller Utility Execution Attempt (via cmdline)
View
HRSword Service Manipulation for Antivirus Neutralization [Windows System]
View
Detection of Ransomware Evasion Tactics Using Low-Level Tools [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
The adversary has obtained administrative rights on the victim host and wants to neutralize the endpoint protection before deploying ransomware payloads. Using the legitimate utility HRSword.exe, they issue a command that stops the antivirus service (
avservice) and disables its automatic restart, ensuring the defender cannot recover the service during the attack window. The command is executed directly in a PowerShell console to generate a clear Sysmon process‑creation event that matches the detection rule. -
Regression Test Script:
<# Simulation of HRSword.exe usage to stop an AV service and disable its restart. This script must be run with elevated (Administrator) privileges. #> # Variables $hrswordPath = "$env:ProgramFilesHRSwordHRSword.exe" $serviceName = "avservice" # Ensure HRSword.exe exists (create a mock if not) if (-Not (Test-Path $hrswordPath)) { Write-Host "Creating mock HRSword.exe for simulation..." # Create a dummy executable (a copy of cmd.exe) just for logging purposes Copy-Item "$env:windirSystem32cmd.exe" $hrswordPath -Force } # Execute the exact command line that the Sigma rule watches $command = "& `"$hrswordPath`" /service stop $serviceName /disable" Write-Host "Executing: $command" Invoke-Expression $command # Optional: Log a custom event to indicate completion (helps verify end‑to‑end) Write-EventLog -LogName Application -Source "HRSwordSimulation" -EventId 3000 -EntryType Information -Message "HRSword service stop simulation completed." -
Cleanup Commands:
<# Restore the AV service to its original state and remove the mock executable. #> # Restart the AV service (if it exists) $serviceName = "avservice" if (Get-Service -Name $serviceName -ErrorAction SilentlyContinue) { Write-Host "Restarting service $serviceName ..." Start-Service -Name $serviceName -ErrorAction SilentlyContinue } # Remove the mock HRSword.exe (if it was created) $hrswordPath = "$env:ProgramFilesHRSwordHRSword.exe" if (Test-Path $hrswordPath) { Write-Host "Removing mock HRSword.exe ..." Remove-Item $hrswordPath -Force } # Clear the custom event log entry Get-EventLog -LogName Application -Source "HRSwordSimulation" -After (Get-Date).AddMinutes(-10) | Remove-EventLog