팔로우 
요약
이 기사는 랜섬웨어 운영자들이 Process Hacker, IOBit Unlocker, PowerRun과 같은 합법적인 저수준 유틸리티를 악용하여 안티바이러스와 엔드포인트 보호 기능을 약화시키는 방법을 설명합니다. 이러한 서명된 이진 파일을 악용함으로써 공격자는 SYSTEM 또는 심지어 커널 수준의 권한을 얻고, 자격 증명을 탈취하며, 랜섬웨어 배포를 위한 환경을 준비할 수 있습니다. 이 글은 AV 무력화가 기본 스크립트에서 시작되어 현대 랜섬웨어-서비스-로서의 제공 번들 능력으로 발전한 방법을 강조합니다. 또한 이러한 방법을 채택한 실세계의 랜섬웨어 그룹을 언급합니다.
조사
조사는 적군이 우선 권한 상승과 안티바이러스 회피를 위해 저수준 도구를 사용한 후 자격 증명 절취, 커널 변조, 랜섬웨어 페이로드 실행으로 전환하는 두 단계 침입 패턴을 설명합니다. 도구 활동은 T1548.002, T1562.001, T1003.001과 같은 MITRE ATT&CK 기법에 매핑됩니다. 사례 예시는 이러한 유틸리티를 LockBit 3.0, Phobos, MedusaLocker 같은 랜섬웨어 운영과 연결합니다.
완화
추천되는 완화 조치에는 애플리케이션 허용목록 적용, 대규모 프로세스 종료 모니터링, 안티바이러스 설정에 영향을 미치는 레지스트리 변경 감사, 승인된 계정만 관리 유틸리티를 실행하도록 제한하는 것이 포함됩니다. 엔드포인트 보호 플랫폼은 보안 프로세스와 서비스를 강제 종료로부터 저항할 수 있도록 자체 보호 제어를 강화해야 합니다.
대응
이러한 행동이 감지되면 조직은 의심스러운 AV 또는 EDR 프로세스 종료를 경고하고, 영향을 받은 호스트를 고립시키며, 레지스트리 및 파일 변경의 포렌식 증거를 보존하고, 자격 증명 절취와 관련된 LSASS 접근에 대한 조사를 해야 합니다. 사건 대응은 랜섬웨어 암호화가 시작되기 전에 침입을 억제하기 위해 관찰된 킬체인을 빠르게 따라야 합니다.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef operator fill:#ff9900 %% Action nodes action_initial_access["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/><b>Description</b>: Adversary sends a malicious email attachment that, when opened, drops a bootstrap loader.<br/><b>Technique ID</b>: T1566.001"] class action_initial_access action action_priv_esc["<b>Action</b> – <b>T1548.002 Bypass User Account Control</b><br/><b>Description</b>: Exploit legitimate utilities to bypass UAC and obtain SYSTEM or kernel privileges.<br/><b>Technique ID</b>: T1548.002"] class action_priv_esc action action_defense_evasion["<b>Action</b> – <b>T1562 Impair Defenses</b><br/><b>Description</b>: Terminate or unload antivirus and EDR components to evade detection.<br/><b>Technique ID</b>: T1562"] class action_defense_evasion action action_credential_access["<b>Action</b> – <b>T1003 OS Credential Dumping</b><br/><b>Description</b>: Dump cached credentials from memory using tools such as Mimikatz.<br/><b>Technique ID</b>: T1003"] class action_credential_access action action_persistence["<b>Action</b> – <b>T1112 Modify Registry</b><br/><b>Description</b>: Delete or modify registry keys that launch AV components for persistence removal.<br/><b>Technique ID</b>: T1112"] class action_persistence action action_indicator_removal["<b>Action</b> – <b>T1070.004 File Deletion</b><br/><b>Description</b>: Remove AV logs and other forensic artifacts from disk.<br/><b>Technique ID</b>: T1070.004"] class action_indicator_removal action action_impact["<b>Action</b> – <b>T1486 Data Encrypted for Impact</b><br/><b>Description</b>: Encrypt user files with ransomware payload after gaining SYSTEM rights.<br/><b>Technique ID</b>: T1486"] class action_impact action %% Tool nodes tool_powerrun["<b>Tool</b> – <b>Name</b>: PowerRun<br/><b>Purpose</b>: Execute binaries with elevated privileges"] class tool_powerrun tool tool_wke["<b>Tool</b> – <b>Name</b>: Windows Kernel Explorer (WKE)<br/><b>Purpose</b>: Obtain kernelu2011level execution"] class tool_wke tool tool_ydark["<b>Tool</b> – <b>Name</b>: YDArk<br/><b>Purpose</b>: Elevate to SYSTEM"] class tool_ydark tool tool_process_hacker["<b>Tool</b> – <b>Name</b>: Process Hacker<br/><b>Purpose</b>: Terminate security processes"] class tool_process_hacker tool tool_iobit["<b>Tool</b> – <b>Name</b>: IOBit Unlocker<br/><b>Purpose</b>: Stop AV services"] class tool_iobit tool tool_aukills["<b>Tool</b> – <b>Name</b>: AuKill / ProcessKO<br/><b>Purpose</b>: Kill specific AV processes"] class tool_aukills tool tool_mimikatz["<b>Tool</b> – <b>Name</b>: Mimikatz<br/><b>Purpose</b>: Dump Windows credentials"] class tool_mimikatz tool tool_unlock_it["<b>Tool</b> – <b>Name</b>: Unlock_IT<br/><b>Purpose</b>: Delete AV registry keys and logs"] class tool_unlock_it tool tool_atool["<b>Tool</b> – <b>Name</b>: Atool_ExperModel<br/><b>Purpose</b>: Remove AV startup keys"] class tool_atool tool %% Operator node (optional) op_and1(("AND")) class op_and1 operator %% Flow connections action_initial_access –>|leads_to| action_priv_esc action_priv_esc –>|leads_to| action_defense_evasion action_defense_evasion –>|leads_to| action_credential_access action_credential_access –>|leads_to| action_persistence action_persistence –>|leads_to| action_indicator_removal action_indicator_removal –>|leads_to| action_impact %% Tool usage connections action_priv_esc –>|uses| tool_powerrun action_priv_esc –>|uses| tool_wke action_priv_esc –>|uses| tool_ydark action_defense_evasion –>|uses| tool_process_hacker action_defense_evasion –>|uses| tool_iobit action_defense_evasion –>|uses| tool_aukills action_credential_access –>|uses| tool_mimikatz action_persistence –>|uses| tool_unlock_it action_persistence –>|uses| tool_atool action_indicator_removal –>|uses| tool_unlock_it "
Attack Flow
Detections
Possible Abuse of IObitUnlocker Utility (via process_creation)
View
Suspicious Taskkill Execution (via cmdline)
View
Possible Mimikatz Arguments Detected (via cmdline)
View
Possible TDSSKiller Utility Execution Attempt (via cmdline)
View
HRSword Service Manipulation for Antivirus Neutralization [Windows System]
View
Detection of Ransomware Evasion Tactics Using Low-Level Tools [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
The adversary has obtained administrative rights on the victim host and wants to neutralize the endpoint protection before deploying ransomware payloads. Using the legitimate utility HRSword.exe, they issue a command that stops the antivirus service (
avservice) and disables its automatic restart, ensuring the defender cannot recover the service during the attack window. The command is executed directly in a PowerShell console to generate a clear Sysmon process‑creation event that matches the detection rule. -
Regression Test Script:
<# Simulation of HRSword.exe usage to stop an AV service and disable its restart. This script must be run with elevated (Administrator) privileges. #> # Variables $hrswordPath = "$env:ProgramFilesHRSwordHRSword.exe" $serviceName = "avservice" # Ensure HRSword.exe exists (create a mock if not) if (-Not (Test-Path $hrswordPath)) { Write-Host "Creating mock HRSword.exe for simulation..." # Create a dummy executable (a copy of cmd.exe) just for logging purposes Copy-Item "$env:windirSystem32cmd.exe" $hrswordPath -Force } # Execute the exact command line that the Sigma rule watches $command = "& `"$hrswordPath`" /service stop $serviceName /disable" Write-Host "Executing: $command" Invoke-Expression $command # Optional: Log a custom event to indicate completion (helps verify end‑to‑end) Write-EventLog -LogName Application -Source "HRSwordSimulation" -EventId 3000 -EntryType Information -Message "HRSword service stop simulation completed." -
Cleanup Commands:
<# Restore the AV service to its original state and remove the mock executable. #> # Restart the AV service (if it exists) $serviceName = "avservice" if (Get-Service -Name $serviceName -ErrorAction SilentlyContinue) { Write-Host "Restarting service $serviceName ..." Start-Service -Name $serviceName -ErrorAction SilentlyContinue } # Remove the mock HRSword.exe (if it was created) $hrswordPath = "$env:ProgramFilesHRSwordHRSword.exe" if (Test-Path $hrswordPath) { Write-Host "Removing mock HRSword.exe ..." Remove-Item $hrswordPath -Force } # Clear the custom event log entry Get-EventLog -LogName Application -Source "HRSwordSimulation" -After (Get-Date).AddMinutes(-10) | Remove-EventLog