Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
This control may detect when critical services have been disabled, such as Windows Security Center. This control may also detect when IIS logging has been disabled. The following alerts may be generated: "Detected the disabling of critical services", "Detected actions indicative of disabling and deleting IIS log files".
References
|
| azure_defender_for_resource_manager | Azure Defender for Resource Manager | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The following alerts are available for Windows Defender security features being disabled but none for third party security tools: "Antimalware broad files exclusion in your virtual machine", "Antimalware disabled and code execution in your virtual machine", "Antimalware disabled in your virtual machine", "Antimalware file exclusion and code execution in your virtual machine", "Antimalware file exclusion in your virtual machine", "Antimalware real-time protection was disabled in your virtual machine", "Antimalware real-time protection was disabled temporarily in your virtual machine", "Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine", "Antimalware temporarily disabled in your virtual machine", "Antimalware unusual file exclusion in your virtual machine".
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The following Azure Sentinel Hunting queries can identify potentially malicious modifications to Sentinel resources: "Azure Sentinel Analytics Rules Administrative Operations", "Azure Sentinel Connectors Administrative Operations", and "Azure Sentinel Workbooks Administrative Operations".
The Azure Sentinel Analytics "Starting or Stopping HealthService to Avoid Detection" query can detect potentially malicious disabling of telemetry collection/detection.
The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
This control can be used to monitor Registry keys related to security software or event logging processes that can detect when an adversary attempts to disable these tools via modifying or deleting Registry keys. A majority of the cited procedure examples for this sub-technique are related to killing security processes rather than modifying the Registry, and therefore the detection coverage for this control is low.
References
|