Attackers install AV to disable security

BoerenkoolMetWorst · Nov 5, 2024

Rapid7 has a blog post on how Sharepoint was compromised:
https://www.rapid7.com/blog/post/20...harepoint-compromise-ir-tales-from-the-field/

Interestingly, they installed a legit AV to crash existing security software:

This involved the service account installing the Horoung Antivirus (AV) software, which was not an authorized software in the environment. For context, Horoung Antivirus is a popular AV software in China that can be installed from Microsoft Store. Most notably, the installation of Horoung caused a conflict with active security products on the system. This resulted in a crash of these services. Stopping the system’s current security solutions allowed the attacker freedom to pursue follow-on objectives thus relating this malicious activity to Impairing Defenses (T1562)....
...The system’s security tooling blocked the Impacket execution, which led to the download via browser and installation of this AV product to circumvent defenses.
Click to expand...

Log in or Sign up

Attackers install AV to disable security

BoerenkoolMetWorst Registered Member

Log in or Sign up

Attackers install AV to disable security

BoerenkoolMetWorst Registered Member

Useful Searches