T1562.001: Disable or Modify Tools
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools. For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
supply_chain: PT-CR-1763: SupplyChain_Branch_Unprotect: A user unprotected a branch or group of branches yandex_cloud: PT-CR-1257: Yandex_Cloud_Kubernetes_Cluster_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous cluster setting is detected yandex_cloud: PT-CR-1251: Yandex_Cloud_Cluster_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous cluster setting is detected yandex_cloud: PT-CR-1260: Yandex_Cloud_Kubernetes_Nodes_Potentially_Dangerous_Setting_Enable: Enabling of a potentially dangerous setting of a cluster node group is detected acronis: PT-CR-2238: Acronis_Disabling_Active_Protection: The Acronis Active Protection service was disabled vsphere_suspicious_user_activity: PT-CR-517: Mass_Disabling_Protective_VM: Multiple virtual machines with security software are disabled vsphere_suspicious_user_activity: PT-CR-514: Disabling_Protective_VM: A virtual machine with installed security software is disabled mssql_database: PT-CR-557: MSSQL_Enable_Remote_Access: An attempt to enable the Remote Access parameter of a database server mssql_database: PT-CR-406: MSSQL_Audit_Configuration_Change: An attempt to change database audit settings mssql_database: PT-CR-558: MSSQL_Enable_Remote_Admin_Connection: An attempt to enable the Remote Admin Connections parameter of a database server mssql_database: PT-CR-413: MSSQL_Enable_Nonsecure_Parameter: An attempt to enable a potentially insecure parameter of a database server mssql_database: PT-CR-561: MSSQL_Policy_Check_Off: An attempt to change the password policies of the Windows server standard that are applied to the SQL logins kaspersky: PT-CR-743: Kaspersky_Endpoint_Disable: Kaspersky Endpoint Security is stopped kaspersky: PT-CR-1847: Kaspersky_Admgroup_Changed: A device is moved to a new administration group kaspersky: PT-CR-1844: Kaspersky_Remove_AV_By_Task: A task for the remote removal of the antivirus is created and run kaspersky: PT-CR-1832: Kaspersky_Modify_Administration_Policy: A Kaspersky Security Center administration policy is changed kaspersky: PT-CR-744: Kaspersky_Endpoint_Policy_Modification: A Kaspersky Endpoint Security policy is changed microsoft_mecm: PT-CR-1878: MECM_Change_Configuration: Changing an existing role or adding a new role in MECM hashicorp: PT-CR-2136: Hashicorp_Vault_Policy_Revoked: A user deleted a security policy hashicorp: PT-CR-2133: Hashicorp_Vault_Policy_Modified: A user created or edited a security policy mysql_database: PT-CR-614: MySQL_Audit_Disable: Attempt to disable database audit mitre_attck_execution: PT-CR-945: Subrule_PowerShell_CLM_Bypass_4104: An attempt to bypass PowerShell Constrained Language was detected based on PowerShell script block logging events mitre_attck_execution: PT-CR-944: Subrule_PowerShell_CLM_Bypass_4103: An attempt to bypass PowerShell Constrained Language was detected based on PowerShell module logging events mitre_attck_defense_evasion: PT-CR-563: Disable_Restricted_Admin_Mode: A process changed the value of a registry key to disable Restricted Admin mode mitre_attck_defense_evasion: PT-CR-583: Windows_Defender_Disable: Windows Defender was disabled or an exclusion was added for it mitre_attck_defense_evasion: PT-CR-562: Disable_Credential_Guard: Credential Guard is disabled in the registry mitre_attck_defense_evasion: PT-CR-312: Disable_LSA_Protection: LSA protection is disabled mitre_attck_defense_evasion: PT-CR-942: Subrule_CSC_Start_And_File_Create: Starting a csc.exe process with a parent powershell.exe process and creating a library by a process is detected mitre_attck_defense_evasion: PT-CR-1368: Disable_Sysmon: Sysmon was updated or disabled mitre_attck_defense_evasion: PT-CR-930: AMSI_Bypass_Via_Powershell: AMSI bypass method use is detected mitre_attck_defense_evasion: PT-CR-938: PowerShell_CLM_Bypass: An attempt to bypass PowerShell Constrained Language mitre_attck_defense_evasion: PT-CR-2489: SysmonQuiet_Usage: The Sysmon process has been accessed, which may indicate that the SysmonQuiet module is active. SysmonQuiet is an aggressor script for Cobalt Strike (requires SeDebugPrivilege privilege). SysmonQuiet uses the reflective DLL loading method that automatically locates Sysmon process and patches its EtwEventWrite API, causing Sysmon malfunctioning while the process and its threads are still running. mitre_attck_defense_evasion: PT-CR-1724: Blackout_AV_Disabling: Antivirus was disabled using the Blackout utility microsoft_sharepoint: PT-CR-2110: Sharepoint_Significant_Feature_Manipulation: A critical component is installed or removed on the SharePoint farm zabbix: PT-CR-2053: Zabbix_Resource_Update: A user changed an object in Zabbix. This could be an attacker's attempt to disguise malicious activity, tools, or malware in the system or escalate privileges. zabbix: PT-CR-2056: Zabbix_Resource_Add: A user added an object to Zabbix. This could be an attacker's attempt to disguise malicious activity, tools, or malware in the system. zabbix: PT-CR-2046: Zabbix_Auth_Settings_Changed: Authentication parameters were changed in Zabbix. This could be an attacker's attempt to escalate privileges or jeopardize system security. zabbix: PT-CR-2045: Zabbix_Resource_Disable: An attacker can disable resources to avoid possible detection of malware/tools and actions in the system zabbix: PT-CR-2055: Zabbix_Resource_Delete: A user deleted an object in Zabbix. This could be an attacker's attempt to disguise malicious activity, tools, or malware in the system or to disrupt the functionality of the system. web_servers_abnormal_activity: PT-CR-1972: Web_Servers_Abnormal_Activity_Defense_Evasion: An attacker can change logging parameters to hide their activity and firewall rules to advance through the network drweb: PT-CR-2070: DrWeb_Endpoint_Disable: Antivirus modules are disabled on a station running Dr.Web. This can relax station protection drweb: PT-CR-2066: DrWeb_Endpoint_Policy_Modification: Dr.Web policy permissions, configuration, or components are changed. This can relax station protection unix_mitre_attck_defense_evasion: PT-CR-1655: Unix_Disable_AppArmor: Security services on a host were disabled. This could be done by attackers to hide their activity. unix_mitre_attck_defense_evasion: PT-CR-1653: Unix_Disable_SELinux: Access control system on a host was disabled. This could be done by attackers to hide their activity. network_devices_compromise: PT-CR-2126: Cumulus_Disable_Logging: The logging service is disabled network_devices_compromise: PT-CR-1818: S_Terra_Gate_Disable_Logging: The logging service is disabled mitre_attck_persistence: PT-CR-2702: Outlook_Malicious_Actions: The most dangerous settings were changed in the Outlook client by editing registry keys. An attacker can change Outlook settings to execute arbitrary code, escalate privileges, or gain persistence in the system. antimalware: PT-CR-2083: KSMG_Configuration_Modified: Kaspersky Secure Mail Gateway configuration is imported clickhouse: PT-CR-1575: ClickHouse_Config_Applied: An attempt to apply configuration file settings is detected microsoft_exchange: PT-CR-2358: Exchange_Owa_Policy_Actions: A user performed an action with a policy for Microsoft Office Outlook Web App in Exchange. This could be an attacker's attempt to weaken or disable protection mechanisms. microsoft_exchange: PT-CR-2359: Exchange_Remove_MalwareFilter_Policy: Deletion of a malware filter policy from an Exchange organization. This could be an attacker's attempt to weaken or disable protection mechanisms. microsoft_exchange: PT-CR-2354: Exchange_Journal_Rule_Actions: A user performed an action with a journal rule in Exchange. This could be an attacker's attempt to hide their actions or disrupt availability of system and network resources. vmware_aria: PT-CR-2373: AOFL_Massive_Alerts_Remove: Mass deletion of alerts can indicate an attacker attempting to conceal their actions with the Aria Operations for Logs monitoring objects vmware_aria: PT-CR-2371: AOFL_Massive_Change_Agent_Groups: Mass change of agent groups can indicate an attacker attempting to conceal their actions with the Aria Operations for Logs monitoring objects vmware_aria: PT-CR-2376: AOFL_Change_Global_Agent_Config: A change in the global configuration of agents can indicate an attempt to limit the data collected from the Aria Operations for Logs monitoring objects infowatch_tm: PT-CR-2513: Infowatch_TM_Notifications_Manipulation: A security notification template is changed. This can lead to the response time increase for non-tolerable events. infowatch_tm: PT-CR-2516: Infowatch_TM_Policy_Manipulation: Changing policies and rules may result in weakened host security redis: PT-CR-1988: Redis_Config_Rewrite: Configuration file was overwritten redis: PT-CR-1987: Redis_Possible_Security_Attack_Or_Maxmemory_Setting: Redis attack protection system was triggered. This may be caused by cross-site scripting or a suspicious change to the "maxmemory" configuration parameter. security_code_secret_net_lsp: PT-CR-1893: SecretNet_LSP_Policy_Change: Secret Net LSP policy change security_code_secret_net_lsp: PT-CR-1885: SecretNet_LSP_Disable_Rule: Disabling or deleting a Secret Net LSP rule postgresql_database: PT-CR-1831: PostgreSQL_Disable_Security_Options: Disabling PostgreSQL database security parameters reduces the security level of the data stored
Detection
| ID | DS0013 | Data source and component | Sensor Health: Host Status | Description | Lack of expected log events may be suspicious. Monitor for telemetry that provides context for modification or deletion of information related to security software processes or services such as Windows Defender definition files in Windows and System log files in Linux. |
|---|
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor for the execution of commands and arguments associated with disabling or modification of security software processes or services such as |
|---|
| ID | DS0009 | Data source and component | Process: Process Termination | Description | Monitor processes for unexpected termination related to security tools/services. Specifically, before execution of ransomware, monitor for rootkit tools, such as GMER, PowerTool or TDSSKiller, that may detect and terminate hidden processes and the host antivirus software. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | In an attempt to avoid detection after compromising a machine, threat actors often try to disable Windows Defender. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, thereby potentially leading to further compromise of the network. Note: Though this analytic is utilizing Event ID 1 for process creation, the arguments are specifically looking for the use of service control for querying or trying to stop Windows Defender. Analytic 1 - Detecting Tampering of Windows Defender Command Prompt
|
|---|
| ID | DS0019 | Data source and component | Service: Service Metadata | Description | Monitor for telemetry that provides context of security software services being disabled or modified. In cloud environments, monitor virtual machine logs for the status of cloud security agents. Spyware and malware remain a serious problem and Microsoft developed security services, Windows Defender and Windows Firewall, to combat this threat. In the event Windows Defender or Windows Firewall is turned off, administrators should correct the issue immediately to prevent the possibility of infection or further infection and investigate to determine if caused by crash or user manipulation. Note: Windows Event code 7036 from the System log identifies if a service has stopped or started. This analytic looks for “Windows Defender” or “Windows Firewall” that has stopped. Analytic 1 - User Activity from Stopping Windows Defensive Services
|
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender. |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Deletion | Description | Monitor for deletion of Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Microsoft\AMSI\Providers. |
|---|
| ID | DS0027 | Data source and component | Driver: Driver Load | Description | Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. |
|---|
Mitigation
| ID | M1018 | Name | User Account Management | Description | Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services. |
|---|
| ID | M1038 | Name | Execution Prevention | Description | Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
|---|
| ID | M1022 | Name | Restrict File and Directory Permissions | Description | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services. |
|---|
| ID | M1024 | Name | Restrict Registry Permissions | Description | Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services. |
|---|