Skip to content

T1562.001 Disable or Modify Tools

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.8

Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.17

Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.2

In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.

Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.3694 For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.9

Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.5

Item Value
ID T1562.001
Sub-techniques T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011
Tactics TA0005
Platforms Containers, IaaS, Linux, Windows, macOS
Version 1.4
Created 21 February 2020
Last Modified 12 April 2023

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla has the capability to kill any running analysis processes and AV software.30
G0016 APT29 APT29 has disabled Purview Audit on targeted accounts prior to stealing emails from Microsoft 365 tenants.86
G0143 Aquatic Panda Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.77
S0640 Avaddon Avaddon looks for and attempts to stop anti-malware solutions.57
S0638 Babuk Babuk can stop anti-virus services on a compromised host.46
S0534 Bazar Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.49
S0252 Brave Prince Brave Prince terminates antimalware processes.54
G0060 BRONZE BUTLER BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.98
S0482 Bundlore Bundlore can change browser security settings to enable extensions to be installed. Bundlore uses the pkill cfprefsd command to prevent users from inspecting processes.3132
S0484 Carberp Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.27
S0144 ChChes ChChes can alter the victim’s proxy configuration.28
S0611 Clop Clop can uninstall or disable security products.19
S0154 Cobalt Strike Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.4445
S0608 Conficker Conficker terminates various services related to system security and Windows.43
S0334 DarkComet DarkComet can disable Security Center functions like anti-virus.5960
S0659 Diavol Diavol can attempt to stop security software.13
S0695 Donut Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.12
S0377 Ebury Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.36
S0554 Egregor Egregor has disabled Windows Defender to evade protections.26
S0605 EKANS EKANS stops processes related to security and management software.5152
G1003 Ember Bear Ember Bear has executed a batch script designed to disable Windows Defender on a compromised host.95
G0037 FIN6 FIN6 has deployed a utility script named kill.bat to disable anti-virus.96
G0047 Gamaredon Group Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.90
S0249 Gold Dragon Gold Dragon terminates anti-malware processes if they’re found running on the system.54
S0477 Goopy Goopy has the ability to disable Microsoft Outlook’s security policies to disable macro warnings.63
G0078 Gorgon Group Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.73
S0531 Grandoreiro Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.24
S0132 H1N1 H1N1 kills and disables services for Windows Security Center, and Windows Defender.29
S0061 HDoor HDoor kills anti-virus found on the victim.25
S0601 Hildegard Hildegard has modified DNS resolvers to evade DNS monitoring tools.56
S0434 Imminent Monitor Imminent Monitor has a feature to disable Windows Task Manager.10
G0119 Indrik Spider Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.83
S0201 JPIN JPIN can lower security settings by changing Registry keys.68
G0094 Kimsuky Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.8887
S0669 KOCTOPUS KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.65
G0032 Lazarus Group Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.93919294.
S0372 LockerGoga LockerGoga installation has been immediately preceded by a “task kill” command in order to disable anti-virus.53
S1048 macOS.OSAMiner macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system’s install.log for apps matching its hardcoded list, killing all matching process names.16
G0059 Magic Hound Magic Hound has disabled antivirus services on targeted systems in order to upload malicious payloads.89
S0449 Maze Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.66 It has also disabled Windows Defender’s Real-Time Monitoring feature and attempted to disable endpoint protection services.67
S0576 MegaCortex MegaCortex was used to kill endpoint security processes.17
S0455 Metamorfo Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.2021
S0688 Meteor Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.50
G0069 MuddyWater MuddyWater can disable the system’s local proxy settings.84
S0228 NanHaiShu NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.23
S0336 NanoCore NanoCore can modify the victim’s anti-virus.1415
S0457 Netwalker Netwalker can detect and terminate active security software-related processes on infected systems.3435
C0002 Night Dragon During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.99
S0223 POWERSTATS POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.72
S0279 Proton Proton kills security tools like Wireshark that are running.70
G0024 Putter Panda Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).85
S0583 Pysa Pysa has the capability to stop antivirus services and disable Windows Defender.22
S0650 QakBot QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.33
S0481 Ragnar Locker Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products.62
S0496 REvil REvil can connect to and disable the Symantec server on the victim’s network.71
S0400 RobbinHood RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.58
G0106 Rocke Rocke used scripts which detected and uninstalled antivirus software.8182
S0253 RunningRAT RunningRAT kills antimalware running process.54
S0446 Ryuk Ryuk has stopped services related to anti-virus.61
S0692 SILENTTRINITY SILENTTRINITY‘s amsiPatch.py module can disable Antimalware Scan Interface (AMSI) functions.11
S0468 Skidmap Skidmap has the ability to set SELinux to permissive mode.55
C0024 SolarWinds Compromise During the SolarWinds Compromise, APT29 used the service control manager on a remote system to disable services associated with security monitoring products.100
S0058 SslMM SslMM identifies and kills anti-malware processes.25
S0491 StrongPity StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.37
S0559 SUNBURST SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.69
G0092 TA505 TA505 has used malware to disable Windows Defender.78
G0139 TeamTNT TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.7980
S0595 ThiefQuest ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.48
S0004 TinyZBot TinyZBot can disable Avira anti-virus.47
S0266 TrickBot TrickBot can disable Windows Defender.42
G0010 Turla Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.97
S0130 Unknown Logger Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.18
S0670 WarzoneRAT WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.64
S0689 WhisperGate WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.393840
G0102 Wizard Spider Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.747576
S0412 ZxShell ZxShell can kill AV products’ processes.41

Mitigations

ID Mitigation Description
M1038 Execution Prevention Use application control where appropriate, especially regarding the execution of tools outside of the organization’s security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.
M1022 Restrict File and Directory Permissions Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.
M1024 Restrict Registry Permissions Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.
M1018 User Account Management Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0027 Driver Driver Load
DS0009 Process Process Termination
DS0013 Sensor Health Host Status
DS0019 Service Service Metadata
DS0024 Windows Registry Windows Registry Key Deletion

References

  1. de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021. 

  2. Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. 

  3. Hernandez, A. S. Tarter, P. Ocamp, E. J. (2022, January 19). One Source to Rule Them All: Chasing AVADDON Ransomware. Retrieved January 26, 2022. 

  4. Hurley, S. (2021, December 7). Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes. Retrieved January 26, 2022. 

  5. Lakshmanan, R. (2022, May 2). AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection. Retrieved May 17, 2022. 

  6. Loui, E. Scheuerman, K. et al. (2020, April 16). Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques. Retrieved January 26, 2022. 

  7. MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021. 

  8. Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022. 

  9. Tran, T. (2020, November 24). Demystifying Ransomware Attacks Against Microsoft Defender Solution. Retrieved January 26, 2022. 

  10. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020. 

  11. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  12. TheWover. (2019, May 9). donut. Retrieved March 25, 2022. 

  13. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  14. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018. 

  15. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. 

  16. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. 

  17. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. 

  18. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  19. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. 

  20. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  21. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  22. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. 

  23. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  24. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  25. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  26. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021. 

  27. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020. 

  28. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  29. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016. 

  30. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. 

  31. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. 

  32. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. 

  33. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  34. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. 

  35. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. 

  36. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. 

  37. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. 

  38. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. 

  39. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. 

  40. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. 

  41. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. 

  42. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. 

  43. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. 

  44. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. 

  45. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  46. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. 

  47. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  48. Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021. 

  49. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. 

  50. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. 

  51. Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. 

  52. Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021. 

  53. Greenberg, A. (2019, March 25). A Guide to LockerGoga, the Ransomware Crippling Industrial Firms. Retrieved July 17, 2019. 

  54. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. 

  55. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. 

  56. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. 

  57. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. 

  58. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. 

  59. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. 

  60. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. 

  61. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. 

  62. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. 

  63. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  64. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. 

  65. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  66. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. 

  67. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. 

  68. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  69. Stephen Eckels, Jay Smith, William Ballenthin. (2020, December 24). SUNBURST Additional Technical Details. Retrieved January 6, 2021. 

  70. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. 

  71. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. 

  72. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. 

  73. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. 

  74. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  75. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  76. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  77. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. 

  78. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  79. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. 

  80. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. 

  81. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. 

  82. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020. 

  83. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. 

  84. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  85. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. 

  86. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. 

  87. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. 

  88. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. 

  89. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  90. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  91. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. 

  92. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016. 

  93. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  94. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018. 

  95. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. 

  96. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  97. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. 

  98. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  99. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  100. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.