Skip to content
Data Breach

Hackers Disable Defender, Sysmon, and WAF Before Dumping Credentials With Mimikatz

Hackers have found a new way to blind security teams before stealing passwords, and the technique is as thorough as it is alarming. A threat actor recently disabled Microsoft Defender, killed the Sysmon logging tool, and tore down a web application firewall, all before deploying Mimikatz to harvest...

· Jul 02, 2026 · 5 min read · 👁 1 views
Hackers Disable Defender, Sysmon, and WAF Before Dumping Credentials With Mimikatz

Hackers have found a new way to blind security teams before stealing passwords, and the technique is as thorough as it is alarming.

A threat actor recently disabled Microsoft Defender, killed the Sysmon logging tool, and tore down a web application firewall, all before deploying Mimikatz to harvest credentials.

The campaign shows how far attackers will go to erase their footprints and avoid detection. The intrusion began on June 7 with a compromised web server and basic reconnaissance commands.

What looked like routine enumeration soon escalated into one of the more aggressive defense evasion operations observed this year, involving nearly a dozen distinct techniques layered on top of each other.

Huntress said in a report shared with Cyber Security News (CSN) that they identified the incident after their SOC detected suspicious enumeration activity spawning from a legitimate IIS worker process.

That anomaly led investigators to uncover a steganographic webshell hidden inside an image file, marking the starting point of a much larger attack chain.

The webshell, named UA4fp7R.aspx, had been concealed using steganography and was traced back to a directory meant only for images.

From there, the attacker expanded their foothold, returning multiple times even after the security team attempted remediation, ultimately escalating to full credential theft.

The webshell (UA4fp7R.aspx) opened using an image viewer (Source - Huntress)
The webshell (UA4fp7R.aspx) opened using an image viewer (Source – Huntress)

What makes this case notable is not just the credential dumping itself, but the deliberate sequence of defensive sabotage that preceded it. The attacker methodically dismantled logging, security tooling, and monitoring systems before ever touching Mimikatz.

Hackers Disable Defender, Sysmon, and WAF

The attacker’s playbook centered on a batch script named i.bat, which Huntress recovered before it could be deleted. The script first disabled IIS HTTP logging, cutting off visibility into further webshell activity on the server.

It then ran PowerShell commands to weaken Microsoft Defender, turning off real time monitoring, behavior monitoring, script scanning, and sample submission. A companion script called DisableDefender.ps1 reinforced these changes before being deleted to cover its tracks.

The webshell payload embedded in the image (Source - Huntress)
The webshell payload embedded in the image (Source – Huntress)

Next, the script used taskkill and the Windows service controller to terminate and remove Sysmon, Filebeat, and several endpoint security tools, including products from Cortex, SentinelOne, and Dr.Web. This effectively blinded the environment to malicious activity.

The attacker also used Image File Execution Options to force Sysmon, Filebeat, and SetACL into a debugger state, freezing them entirely.

Finally, they used appcmd to enumerate IIS sites before uninstalling the ModSecurity web application firewall, removing protection against SQL injection and cross site scripting attacks.

Credential Theft and Persistence Tactics

With defenses stripped away, the attacker turned to credential theft. They imported a registry file to modify the WDigest setting, forcing Windows to store passwords in plaintext memory rather than a protected format.

They then extracted ODBC credentials stored in the registry and ran tools identified as g.com and hs.com, which wrote stolen data to pass.txt and hash.txt. The Mimikatz kernel driver, mimidrv.sys, was used to dump credentials directly from memory before being deleted.

Beyond credential theft, the script contained commented out code for a WMI event consumer capable of clearing Windows event logs automatically, along with commands to strip file permissions on core Windows components. These entries suggest the attacker was prepared to escalate further.

Before leaving, the attacker deleted generated files, wiped registry keys tied to WScript and Shell.Application, and cleared the security, system, and application event logs. Huntress noted the intrusion was contained before any data was stolen, largely because the SOC caught the activity in time.

Organizations should apply foundational security hygiene to prevent similar attacks. Recommended steps include keeping software fully patched, ensuring proper logging across web servers and endpoints, and placing internet facing servers behind a firewall or VPN when possible.

The report also stressed that incident response must be followed through completely, since bringing a server back online before remediation finishes gives attackers a fresh chance to return, exactly as happened in this case.

Indicators of Compromise (IoCs):-

TypeIndicatorDescription
File hash (SHA256)bd74a00f4d2ec3bf50d13ddf324bb368b2464d547abd0c572ef5e2f77943a92Steganography webshell (UA4fp7R.aspx) 
File hash (SHA256)40859ede262098086962ab00c89f02452aa9941c88c7f4ac002db166179980cSteganography webshell (03Fl3i.aspx) 
File hash (SHA256)f63d293e117cae1d0a6c24359fc1361a9dc48178049cc6491051b09268c8c39cSteganography webshell (WRBYTR5750images.aspx / MRBTPS5754images.aspx) 
File hash (SHA256)94cd18f3f030fcc9b259dc410b17ea72a1f9800ee654f8e0f07a87bb9443b59Defense evasion/enumeration batch file (C:\ProgramData\x\i.bat) 
File hash (SHA256)793768ce4fadab044c7502ea5ec4d8e1569283f289dfd73419e119f32d56d0fPHP webshell (jT1Ds.php) 
File hash (SHA256)f0ff36ecdc843351913dbfbd9122b62563894936ff64215a7a2f89181ebdb57fWebshell (RG0eQV6.php) 
String/MarkerONEPIECEString embedded in and used to identify related webshells 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Recommended for you