Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/Threats/Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
Threats

Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security

Key Takeaways Attackers are employing sophisticated defense evasion tactics, including disabling security software like Microsoft Defender and Sysmon, before stealing credentials. The attack chain...

Emy Elsamnoudy
Emy Elsamnoudy
July 2, 2026 3 Min Read
2 0

Key Takeaways

  • Attackers are employing sophisticated defense evasion tactics, including disabling security software like Microsoft Defender and Sysmon, before stealing credentials.
  • The attack chain began with a compromised web server and a steganographic webshell hidden in an image file.
  • The threat actor systematically dismantled logging, security tooling, and monitoring systems to operate undetected.
  • The incident highlights the critical need for continuous monitoring and comprehensive incident response, as attackers may persist even after initial remediation attempts.

Cybersecurity analysts have uncovered a concerning new methodology employed by threat actors to neutralize security measures before exfiltrating sensitive data. This advanced technique involves systematically disabling critical security tools such as Microsoft Defender and Sysmon, as well as web application firewalls (WAFs), prior to deploying credential-harvesting malware like Mimikatz.

Table Of Content

  • Key Takeaways
  • Hackers Disable Defender, Sysmon, and WAF
  • Credential Theft and Persistence Tactics
  • Indicators of Compromise (IoCs)

The campaign underscores a growing trend where attackers prioritize stealth and evasion, meticulously eliminating forensic evidence and detection capabilities to maximize their operational window. The observed intrusion, which commenced on June 7, started with a compromised web server and routine reconnaissance commands. However, it quickly escalated into a multi-layered defense evasion operation, utilizing nearly a dozen distinct techniques.

According to Huntress said in a report, the incident came to light after their Security Operations Center (SOC) detected unusual enumeration activity originating from a legitimate IIS worker process. This anomaly led researchers to discover a webshell, named UA4fp7R.aspx, cleverly embedded using steganography within an image file, located in a directory typically reserved for images. The attacker repeatedly re-established their presence even after the security team initiated remediation efforts, eventually achieving full credential theft.

The distinguishing characteristic of this attack was not merely the credential dumping, but the methodical and deliberate sequence of defensive sabotage that preceded it. The threat actor systematically dismantled various logging, security, and monitoring systems before initiating the Mimikatz payload.

Hackers Disable Defender, Sysmon, and WAF

The core of the attacker’s defensive impairment strategy revolved around a batch script identified as i.bat, which Huntress successfully retrieved before its deletion. This script’s initial action was to disable IIS HTTP logging, effectively severing visibility into any subsequent webshell activities on the compromised server.

Following this, the script executed PowerShell commands designed to weaken Microsoft Defender’s protective capabilities. These commands systematically turned off real-time monitoring, behavior monitoring, script scanning, and automatic sample submission. A supplementary script, DisableDefender.ps1, further solidified these changes before being removed to obscure the attacker’s footprint.

The attack continued with the use of the taskkill utility and the Windows service controller to terminate and remove essential security tools, including Sysmon, Filebeat, and other endpoint security solutions from vendors such as Cortex, SentinelOne, and Dr.Web. This extensive disabling of security infrastructure effectively rendered the environment blind to ongoing malicious activities. The attacker also leveraged Image File Execution Options to force Sysmon, Filebeat, and SetACL into a debugger state, causing them to freeze. Finally, the attacker employed appcmd to enumerate IIS sites and then uninstalled the ModSecurity web application firewall, thereby removing protections against common web vulnerabilities like SQL injection and cross-site scripting attacks.

Credential Theft and Persistence Tactics

With the security defenses compromised, the attackers proceeded to steal credentials. They imported a registry file to alter the WDigest setting, compelling Windows to store passwords in plaintext within memory, rather than in a more secure, protected format.

Subsequently, the attackers extracted ODBC credentials from the registry and executed tools, identified as g.com and hs.com, which wrote the stolen data to text files named pass.txt and hash.txt. The Mimikatz kernel driver, mimidrv.sys, was then deployed to directly dump credentials from memory before being promptly deleted to erase traces of its use.

Beyond the immediate credential theft, the script contained commented-out code indicating preparations for further escalation. This included a WMI event consumer designed for automatic clearing of Windows event logs and commands aimed at stripping file permissions on critical Windows components. Before exiting the system, the attacker deleted all generated files, wiped registry keys associated with WScript and Shell.Application, and cleared the security, system, and application event logs. Huntress confirmed that the intrusion was contained before any data exfiltration occurred, primarily due to the SOC’s timely detection of the suspicious activity.

Indicators of Compromise (IoCs)

Type Indicator Description
File hash (SHA256) bd74a00f4d2ec3bf50d13ddf324bb368b2464d547abd0c572ef5e2f77943a92 Steganography webshell (UA4fp7R.aspx)
File hash (SHA256) 40859ede262098086962ab00c89f02452aa9941c88c7f4ac002db166179980c Steganography webshell (03Fl3i.aspx)
File hash (SHA256) f63d293e117cae1d0a6c24359fc1361a9dc48178049cc6491051b09268c8c39c Steganography webshell (WRBYTR5750images.aspx / MRBTPS5754images.aspx) <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/723388

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerPatchSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks

Next Post

Critical JetBrains Flaws Allow Auth Bypass, Code Execution

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us