Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-09.02 | Hardware integrity checking | Mitigates | T1562.001 | Disable or Modify Tools |
Comments
This diagnostic statement provides protection from Disable or Modify Tools through the implementation of integrity checking mechanisms. For example, integrity checking mechanisms to verify the operating system, software, firmware, and information integrity before loading it prevents abuse by a threat actor.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562.001 | Disable or Modify Tools |
Comments
This diagnostic statement protects against Disable or Modify Tools through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-22952 | Multiple SugarCRM Products Remote Code Execution Vulnerability | secondary_impact | T1562.001 | Disable or Modify Tools |
Comments
This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated attacker via a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation.
This vulnerability has been exploited by threat actors to gain initial access to AWS accounts by injecting custom PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations to expand their access, obtaining long-term AWS access keys from compromised EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations and Cost and Usage services. The attackers moved laterally by creating RDS snapshots and new EC2 instances, modifying security groups, and attempting to escalate privileges by logging in as the Root user. They also employed defense evasion techniques, including deploying resources in non-standard regions and intermittently stopping EC2 instances to avoid detection and minimize costs.
The exploit in question is actively being used to compromise hosts by installing a PHP-based web shell. It involves an authentication bypass against the "/index.php" endpoint of the targeted service. Once bypassed, the attacker obtains a cookie and sends a secondary POST request to "/cache/images/sweet.phar" to upload a small PNG-encoded file containing PHP code. This file acts as a web shell, allowing the execution of commands specified in the base64-encoded query argument "c". For example, a request like 'POST /cache/images/sweet.phar?c="L2Jpbi9pZA=="' would execute the command "/bin/id" with the same permissions as the web service's user.
References
|
| CVE-2020-5902 | F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability | secondary_impact | T1562.001 | Disable or Modify Tools |
Comments
CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI)
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Disable controls | Disable or interfere with security controls | related-to | T1562.001 | Disable or Modify Tools | |
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1562.001 | Disable or Modify Tools |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The following Microsoft Sentinel Hunting queries can identify potentially malicious modifications to Sentinel resources: "Microsoft Sentinel Analytics Rules Administrative Operations", "Microsoft Sentinel Connectors Administrative Operations", and "Microsoft Sentinel Workbooks Administrative Operations".
The Microsoft Sentinel Analytics "Starting or Stopping HealthService to Avoid Detection" query can detect potentially malicious disabling of telemetry collection/detection.
The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: "Detected the disabling of critical services", "Detected actions indicative of disabling and deleting IIS log files".
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The following alerts are available for Windows Defender security features being disabled but none for third party security tools: "Antimalware broad files exclusion in your virtual machine", "Antimalware disabled and code execution in your virtual machine", "Antimalware disabled in your virtual machine", "Antimalware file exclusion and code execution in your virtual machine", "Antimalware file exclusion in your virtual machine", "Antimalware real-time protection was disabled in your virtual machine", "Antimalware real-time protection was disabled temporarily in your virtual machine", "Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine", "Antimalware temporarily disabled in your virtual machine", "Antimalware unusual file exclusion in your virtual machine".
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| resource_manager | Resource Manager | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
This control adopts the security principle of least privilege, which grants necessary access to user's resources when justified and needed. This control manages access control and ensures proper user permissions are in place to prevent adversaries that try to modify and/or disable security tools.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The following GuardDuty findings provide indicators of malicious activity in defense measures:
Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|
| aws_config | AWS Config | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The "ec2-managedinstance-applications-required" managed rule verifies that all applications in a pre-defined list of requirements are installed on specified managed instances, and is run on configuration changes. It will not detect modification to those applications, but will detect if they are uninstalled. The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances, and can be used to detect installation of applications below a minimum version, which can identify adversary attempts to downgrade required tools to insecure or ineffective older versions. Given the host-based scoping of this technique, coverage is partial, resulting in an overall score of Partial.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes
This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.
"Security Hub collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues"
References
|