Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via File/Path Exclusions.(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| I&S-04 | OS Hardening and Base Controls | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control, especially regarding the execution of tools outside of security policies, and ensuring that only approved security applications are used can prevent adversaries from maliciously modifying an environment to hinder or disable security tools.
References
|
| UEM-05 | Endpoint Management | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control provides for the implementation of best practices for endpoint management. Malicious modification or disabling of security tools can be mitigated by implementing application control, script blocking, and other execution prevention mechanisms.
References
|
| LOG-10 | Audit Records Protection | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
References
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
|
| LOG-02 | Audit Logs Protection | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1562.001 | Disable or Modify Tools |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Malicious modification or disabling of security tools can be mitigated by implementing application control, script blocking, and other execution prevention mechanisms.
References
|