Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
Key Takeaways Attackers are employing sophisticated defense evasion tactics, including disabling security software like Microsoft Defender and Sysmon, before stealing credentials. The attack chain...
Key Takeaways
- Attackers are employing sophisticated defense evasion tactics, including disabling security software like Microsoft Defender and Sysmon, before stealing credentials.
- The attack chain began with a compromised web server and a steganographic webshell hidden in an image file.
- The threat actor systematically dismantled logging, security tooling, and monitoring systems to operate undetected.
- The incident highlights the critical need for continuous monitoring and comprehensive incident response, as attackers may persist even after initial remediation attempts.
Cybersecurity analysts have uncovered a concerning new methodology employed by threat actors to neutralize security measures before exfiltrating sensitive data. This advanced technique involves systematically disabling critical security tools such as Microsoft Defender and Sysmon, as well as web application firewalls (WAFs), prior to deploying credential-harvesting malware like Mimikatz.
Table Of Content
The campaign underscores a growing trend where attackers prioritize stealth and evasion, meticulously eliminating forensic evidence and detection capabilities to maximize their operational window. The observed intrusion, which commenced on June 7, started with a compromised web server and routine reconnaissance commands. However, it quickly escalated into a multi-layered defense evasion operation, utilizing nearly a dozen distinct techniques.
According to Huntress said in a report, the incident came to light after their Security Operations Center (SOC) detected unusual enumeration activity originating from a legitimate IIS worker process. This anomaly led researchers to discover a webshell, named UA4fp7R.aspx, cleverly embedded using steganography within an image file, located in a directory typically reserved for images. The attacker repeatedly re-established their presence even after the security team initiated remediation efforts, eventually achieving full credential theft.
The distinguishing characteristic of this attack was not merely the credential dumping, but the methodical and deliberate sequence of defensive sabotage that preceded it. The threat actor systematically dismantled various logging, security, and monitoring systems before initiating the Mimikatz payload.
Hackers Disable Defender, Sysmon, and WAF
The core of the attacker’s defensive impairment strategy revolved around a batch script identified as i.bat, which Huntress successfully retrieved before its deletion. This script’s initial action was to disable IIS HTTP logging, effectively severing visibility into any subsequent webshell activities on the compromised server.
Following this, the script executed PowerShell commands designed to weaken Microsoft Defender’s protective capabilities. These commands systematically turned off real-time monitoring, behavior monitoring, script scanning, and automatic sample submission. A supplementary script, DisableDefender.ps1, further solidified these changes before being removed to obscure the attacker’s footprint.
The attack continued with the use of the taskkill utility and the Windows service controller to terminate and remove essential security tools, including Sysmon, Filebeat, and other endpoint security solutions from vendors such as Cortex, SentinelOne, and Dr.Web. This extensive disabling of security infrastructure effectively rendered the environment blind to ongoing malicious activities. The attacker also leveraged Image File Execution Options to force Sysmon, Filebeat, and SetACL into a debugger state, causing them to freeze. Finally, the attacker employed appcmd to enumerate IIS sites and then uninstalled the ModSecurity web application firewall, thereby removing protections against common web vulnerabilities like SQL injection and cross-site scripting attacks.
Credential Theft and Persistence Tactics
With the security defenses compromised, the attackers proceeded to steal credentials. They imported a registry file to alter the WDigest setting, compelling Windows to store passwords in plaintext within memory, rather than in a more secure, protected format.
Subsequently, the attackers extracted ODBC credentials from the registry and executed tools, identified as g.com and hs.com, which wrote the stolen data to text files named pass.txt and hash.txt. The Mimikatz kernel driver, mimidrv.sys, was then deployed to directly dump credentials from memory before being promptly deleted to erase traces of its use.
Beyond the immediate credential theft, the script contained commented-out code indicating preparations for further escalation. This included a WMI event consumer designed for automatic clearing of Windows event logs and commands aimed at stripping file permissions on critical Windows components. Before exiting the system, the attacker deleted all generated files, wiped registry keys associated with WScript and Shell.Application, and cleared the security, system, and application event logs. Huntress confirmed that the intrusion was contained before any data exfiltration occurred, primarily due to the SOC’s timely detection of the suspicious activity.



No Comment! Be the first one.