013. It Can Remove Rootkits. And Your EDR!
Hello everyone! Let's talk about about another very curious tool abused by threat actors. For example, it was used by LockBit and RansomHub ransomware affiliates. Guessed it already?
Yes, I'm talking about TDSSKiller - a legitimate rootkit removal tool by Kaspersky. Despite the fact it was developed for malware removal, it can also be used by adversary to remove security software.
For example, here's how RansomHub affiliates used it to disable Trend Micro service according to this report:
C:\Windows\tdsskiller.exe -dcsvc "TMBMServer" -accepteula
By the way, according to VirusTotal, this tool isn't detected by many antivirus engines:
Still, we have a few detection and hunting opportunities, for example:
- Command line parameters typical for the tool: -dcsvc
- Metadata indicating the executable is TDSSKiller: "TDSSKiller", "TDSS rootkit removing tool"
Do you know any other curious legitimate tools used to disable EDR?
See you tomorrow!
Comments
Post a Comment