|T1562.001||Disable or Modify Tools|
|T1562.002||Disable Windows Event Logging|
|T1562.003||Impair Command History Logging|
|T1562.004||Disable or Modify System Firewall|
|T1562.007||Disable or Modify Cloud Firewall|
|T1562.008||Disable Cloud Logs|
|T1562.009||Safe Mode Boot|
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.
Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services..
Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg. It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.
Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.
|M1022||Restrict File and Directory Permissions||
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.
|M1024||Restrict Registry Permissions||
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.
|M1018||User Account Management||
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.
|ID||Data Source||Data Component||Detects|
Monitor for the execution of commands and arguments associated with disabling or modification of security software processes or services such as
Monitor processes for unexpected termination related to security tools/services.
|DS0013||Sensor Health||Host Status||
Lack of expected log events may be suspicious. Monitor for telemetry that provides context for modification or deletion of information related to security software processes or services such as Windows Defender definition files in Windows and System log files in Linux.
Monitor for telemetry that provides context of security software services being disabled or modified.
|DS0024||Windows Registry||Windows Registry Key Deletion||
Monitor for deletion of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Microsoft\AMSI\Providers.
|Windows Registry Key Modification||
Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender.