1. Home
  2. ATT&CK Techniques
  3. T1562.001 Disable or Modify Tools

T1562.001 Disable or Modify Tools Mappings

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)

Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)

In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.

Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)

Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1562.001 Disable or Modify Tools
AC-3 Access Enforcement Protects T1562.001 Disable or Modify Tools
AC-5 Separation of Duties Protects T1562.001 Disable or Modify Tools
AC-6 Least Privilege Protects T1562.001 Disable or Modify Tools
CA-7 Continuous Monitoring Protects T1562.001 Disable or Modify Tools
CM-2 Baseline Configuration Protects T1562.001 Disable or Modify Tools
CM-5 Access Restrictions for Change Protects T1562.001 Disable or Modify Tools
CM-6 Configuration Settings Protects T1562.001 Disable or Modify Tools
CM-7 Least Functionality Protects T1562.001 Disable or Modify Tools
IA-2 Identification and Authentication (organizational Users) Protects T1562.001 Disable or Modify Tools
SI-3 Malicious Code Protection Protects T1562.001 Disable or Modify Tools
SI-4 System Monitoring Protects T1562.001 Disable or Modify Tools
SI-7 Software, Firmware, and Information Integrity Protects T1562.001 Disable or Modify Tools
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Disable or Modify Tools
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562.001 Disable or Modify Tools