概要
Updated 6/5/2023: Added Behavior Monitoring Information
Trend Micro is aware of and is actively researching claims of a tool, dubbed "Terminator," that has been promoted by a suspected threat actor on underground forums. This tool is reported to have the ability to terminate any major commercial antivirus (AV), XDR or EDR endpoint security agent, including those from Trend Micro.
Trend Micro is aware of and is actively researching claims of a tool, dubbed "Terminator," that has been promoted by a suspected threat actor on underground forums. This tool is reported to have the ability to terminate any major commercial antivirus (AV), XDR or EDR endpoint security agent, including those from Trend Micro.
詳情
From various research sources, the use of this "tool" requires that a user with malicious intent must have already acquired administrative privileges on the target machine. Alternatively, the attacker must entice a victim with administrative privilege to run the tool and accept a User Account Control (UAC) pop-up that will appear. Therefore, the most basic, and strongest mitigation against exploitation at this time is to ensure that credentials (especially for sensitive accounts) are properly secured - as damage extending far beyond disabling security clients is possible with administrative privileges.
The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Vision One™
Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. The following outline some of the components of Trend Vision One that can used for investigation.
XDR Threat Investigation > Detection Model Management
Trend Micro has added a new Detection Model titled "Suspicious Service Installation for Disabling AV Security Product using Zemana Anti-Malware Driver" which can used for investigation in the environment.
Trend Micro Server & Endpoint Products Utilizing Behavior Monitoring (e.g. Apex One, Cloud One - Workload Security, Deep Security, Worry-Free Business Security, etc.)
Trend Micro has released some updated detections for server and endpoint protection products that utilize Behavior Monitoring protection:
This article will continue to be updated with additional information as needed.
Using Trend Micro Products for Investigation, Detection & Protection
The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Vision One™
Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. The following outline some of the components of Trend Vision One that can used for investigation.
XDR Threat Investigation > Detection Model Management
Trend Micro has added a new Detection Model titled "Suspicious Service Installation for Disabling AV Security Product using Zemana Anti-Malware Driver" which can used for investigation in the environment.
Trend Micro Server & Endpoint Products Utilizing Behavior Monitoring (e.g. Apex One, Cloud One - Workload Security, Deep Security, Worry-Free Business Security, etc.)
Trend Micro has released some updated detections for server and endpoint protection products that utilize Behavior Monitoring protection:
- 2911T - Anti-AV/Anti-EDR by abusing Zemana AntiLogger Vulnerable Driver
- SEN2054S - Malicious Driver Dropping
This article will continue to be updated with additional information as needed.
