DefenseEvasion.md

Defense Evasion Tools

Tip

Various freely available malware detection tools specialize in identifying and removing stealthy threats like rootkits. They offer capabilities such as scanning for hidden processes, files, and drivers, analyzing system memory for malicious modules, and monitoring system hooks for unauthorized modifications. These tools provide detailed insights into system internals, helping to uncover deeply embedded malware that standard antivirus programs might miss.

Important

Malicious actors can abuse these rootkit detection tools to interfere with security tools, file and registry tampering to disrupt tool functionality, and memory corruption to prevent detection. By using these tools for privilege escalation, an adversary can disable or alter the operation of security software, removing the method systems use to detect or prevent threats.

Tool Name	Threat Group Usage
Avast Anti-Rootkit driver	Cuba, AvosLocker, MONTI
Backstab (Process Explorer driver)	Black Basta, LockBit
Bedevil	Scattered Spider*
BEST_uninstallTool	BabLock
Darkside (TrueSight driver)	CosmicBeetle*
Defender Control	LockBit, Zola
Dell Client driver	BlackByte
EDRSandBlast	Cicada3301
EMCO UnLock IT	Zola
Eraser	BlackSuit, Royal
FileShredder	BlackCat
GIGABYTE Motherboard driver	BlackByte
GMER	BlackSuit, Royal, PLAY, LockBit, Bassterlord*, Conti, 8BASE, TargetCompany, Hive, Avaddon, MONTI
HRSword	Medusa Locker
IOBit	PLAY
MSI Afterburner driver	BlackByte
NSudo	Royal
PCHunter	LockBit, Conti, 8BASE, TargetCompany, Hive, Qilin, FiveHands, Medusa Locker
PowerTool	BlackSuit, Royal, Akira, Phobos, PLAY, LockBit, Qilin, Avaddon
ProcessHacker	Phobos, LockBit, 8BASE, Zola, Medusa Locker
RealBlindingEDR	CosmicBeetle*
Reaper	CosmicBeetle*
s4killer (Minifilter Driver)	Embargo
TDSSKiller	LockBit, Avaddon
ThreatFire System Monitor driver	RansomHub
Universal Virus Sniffer	Phobos
VirtualBox	RagnarLocker
YDArk	Qilin
Zemana Anti-Rootkit driver	Qilin, Akira, BlackByte