013. It Can Remove Rootkits. And Your EDR!

Hello everyone! Let's talk about about another very curious tool abused by threat actors. For example, it was used by LockBit and RansomHub ransomware affiliates. Guessed it already?

Yes, I'm talking about TDSSKiller - a legitimate rootkit removal tool by Kaspersky. Despite the fact it was developed for malware removal, it can also be used by adversary to remove security software. 

For example, here's how RansomHub affiliates used it to disable Trend Micro service according to this report:

C:\Windows\tdsskiller.exe -dcsvc "TMBMServer" -accepteula

By the way, according to VirusTotal, this tool isn't detected by many antivirus engines:


Still, we have a few detection and hunting opportunities, for example:

  • Command line parameters typical for the tool: -dcsvc
  • Metadata indicating the executable is TDSSKiller: "TDSSKiller", "TDSS rootkit removing tool"

Do you know any other curious legitimate tools used to disable EDR?

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!