T1562.001: Disable or Modify Tools
| View on MITRE ATT&CK | T1562.001 |
|---|---|
| Tactic(s) | Defense Evasion |
| Associated CAPEC Patterns | Disable Security Software (CAPEC-578) |
Data from MITRE ATT&CK®:
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
#StopRansomware: Play Ransomware
This is a Cybersecurity Advisory from CISA with US and international partners which outlines TTPs (tactics, techniques and procedures) and IoCs ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Ransomware Spotlight: Black Basta
This report from Trend Micro outlines tactics, techniques and procedures used by the Black Basta Ransomware group. According to the report, Black ...
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours
This report by the DFIR Report outlines a Trigona Ransomware attack. It describes how the actors went from initial access (by exposed RDP) to data ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Execution Prevention
Block execution of code on a system through application control, and/or script blocking.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Restrict Registry Permissions
Restrict the ability to modify certain hives or keys in the Windows Registry.How to detect this technique
MITRE ATT&CK Data Components
Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Termination (Process)
Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)Driver Load (Driver)
Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)Host Status (Sensor Health)
Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Service Metadata (Service)
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.Windows Registry Key Deletion (Windows Registry)
Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Tamper with Windows Defender Registry
Tamper with Windows Defender ATP PowerShell
Disable Carbon Black Response
Disable Windows Defender with DISM
Disable Hypervisor-Enforced Code Integrity (HVCI)
Tamper with Windows Defender ATP using Aliases - PowerShell
Stop and unload Crowdstrike Falcon on macOS
Delete Microsoft Defender ASR Rules - GPO
Stop Crowdstrike Falcon on Linux
Clear Pagging Cache
Disable syslog
WinPwn - Kill the event log services for stealth
LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
Suspend History
Tamper with Windows Defender Registry - Reg.exe
Remove Windows Defender Definition Files
LockBit Black - Use Registry Editor to turn on automatic logon -cmd
Disable Memory Swap
Disable Cb Response
Disable Defender Using NirSoft AdvancedRun
Delete Microsoft Defender ASR Rules - InTune
Tamper with Windows Defender Registry - Powershell
Disable LittleSnitch
Disable syslog (freebsd)
Tamper with Windows Defender Evade Scanning -Extension
office-365-Disable-AntiPhishRule
Disable SELinux
Tamper with Windows Defender Evade Scanning -Folder
Clear History
Reboot Linux Host via Kernel System Request
Uninstall Crowdstrike Falcon on Windows
Delete Windows Defender Scheduled Tasks
Tamper with Defender ATP on Linux/MacOS
Kill antimalware protected processes using Backstab
Uninstall Sysmon
Disable Arbitrary Security Windows Service
Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
Disable OpenDNS Umbrella
AMSI Bypass - Override AMSI via COM
WMIC Tamper with Windows Defender Evade Scanning Folder
AWS - GuardDuty Suspension or Deletion
ESXi - Disable Account Lockout Policy via PowerCLI
Tamper with Windows Defender Command Prompt
Unload Sysmon Filter Driver
Tamper with Windows Defender Evade Scanning -Process
Disable macOS Gatekeeper
LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
Stop and Remove Arbitrary Security Windows Service
Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
AMSI Bypass - Remove AMSI Provider Reg Key
Disable Microsoft Office Security Features
AMSI Bypass - AMSI InitFailed
Sigma Detections for this Technique
Tamper Windows Defender - ScriptBlockLogging
Dism Remove Online Package
HackTool - CobaltStrike BOF Injection Pattern
Service StartupType Change Via PowerShell Set-Service
Microsoft Malware Protection Engine Crash - WER
Windows Defender Submit Sample Feature Disabled
Windows Defender Exclusion Deleted
Potential Privileged System Service Operation - SeLoadDriverPrivilege
Disable Exploit Guard Network Protection on Windows Defender
Windows Defender Real-Time Protection Failure/Restart
PUA - CleanWipe Execution
Folder Removed From Exploit Guard ProtectedFolders List - Registry
Windows Defender Virus Scanning Feature Disabled
Tamper Windows Defender - PSClassic
Uncommon Extension In Keyboard Layout IME File Registry Value
HackTool - PowerTool Execution
Disable Windows Defender Functionalities Via Registry Keys
Hypervisor Enforced Code Integrity Disabled
Suspicious PROCEXP152.sys File Created In TMP
Bitbucket Global SSH Settings Changed
Sysinternals PsSuspend Suspicious Execution
Windows Defender Definition Files Removed
Reg Add Suspicious Paths
Disable Tamper Protection on Windows Defender
Bitbucket Audit Log Configuration Updated
Windows Defender Exploit Guard Tamper
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
Bitbucket Secret Scanning Rule Deleted
Windows Defender Service Disabled - Registry
Windows Defender Exclusion List Modified
Raccine Uninstall
Sysmon Configuration Update
Security Service Disabled Via Reg.EXE
AWS Config Disabling Channel/Recorder
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Potential AMSI Bypass Via .NET Reflection
Bitbucket Project Secret Scanning Allowlist Added
Microsoft Office Protected View Disabled
Removal Of AMSI Provider Registry Keys
ESXi Syslog Configuration Change Via ESXCLI
Disable Security Events Logging Adding Reg Key MiniNt
Tamper With Sophos AV Registry Keys
Powershell Base64 Encoded MpPreference Cmdlet
Windows Defender Exclusions Added - Registry
Scripted Diagnostics Turn Off Check Enabled - Registry
Bitbucket Secret Scanning Exempt Repository Added
Potential AMSI Bypass Using NULL Bits
AWS GuardDuty Important Change
Win Defender Restored Quarantine File
Suspicious Application Allowed Through Exploit Guard
Windows Defender Malware And PUA Scanning Disabled
Potential AMSI Bypass Script Using NULL Bits
Disabled IE Security Features
Taskkill Symantec Endpoint Protection
Powershell Defender Disable Scan Feature
Windows Defender Exclusions Added
Load Of RstrtMgr.DLL By A Suspicious Process
Suspicious Path In Keyboard Layout IME File Registry Value
NetNTLM Downgrade Attack - Registry
AWS CloudTrail Important Change
Service StartupType Change Via Sc.EXE
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
AMSI Bypass Pattern Assembly GetType
Disable PUA Protection on Windows Defender
Powershell Defender Exclusion
Add SafeBoot Keys Via Reg Utility
Github Push Protection Bypass Detected
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Windows Defender Grace Period Expired
Potential AMSI COM Server Hijacking
Disable-WindowsOptionalFeature Command PowerShell
Weak Encryption Enabled and Kerberoast
Bitbucket Global Secret Scanning Rule Deleted
Service Registry Key Deleted Via Reg.EXE
Windows Defender Exclusion Reigstry Key - Write Access Requested
Uninstall Crowdstrike Falcon Sensor
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Windows Defender Configuration Changes
NetNTLM Downgrade Attack
Github Push Protection Disabled
Cisco Disabling Logging
Microsoft Malware Protection Engine Crash
Azure Kubernetes Events Deleted
SafeBoot Registry Key Deleted Via Reg.EXE
Load Of RstrtMgr.DLL By An Uncommon Process
Sysmon Driver Altitude Change
Uninstall Sysinternals Sysmon
HackTool - Stracciatella Execution
Potential Tampering With Security Products Via WMIC
Disable Privacy Settings Experience in Registry
Microsoft Defender Tamper Protection Trigger
Disable Security Tools
Windows Defender Threat Detection Disabled - Service
Disabled Volume Snapshots
Windows Defender Real-time Protection Disabled
Github Secret Scanning Feature Disabled
Disabled Windows Defender Eventlog
Disable Windows Defender AV Security Monitoring
Tamper Windows Defender Remove-MpPreference
Suspicious Service Installed
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.