Common Information
| Type | Value |
|---|---|
| Value |
Disable or Modify Tools - T1562.001 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-14 | 39 | Blinded by Silence | ||
| Details | Website | 2024-11-09 | 19 | TRACKING RANSOMWARE : OCTOBER 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting | ||
| Details | Website | 2024-11-07 | 28 | Helldown Ransomware – A New Emerging Ransomware Threat | ||
| Details | Website | 2024-11-04 | 57 | Threat Intelligence Report October 29 - November 4 2024 | Red Piranha | ||
| Details | Website | 2024-11-03 | 35 | Threat Actor — Cl0P | ||
| Details | Website | 2024-11-01 | 43 | Ngioweb Remains Active 7 Years Later | ||
| Details | Website | 2024-11-01 | 9 | Malware Analysis: ValleyRAT TTPs and Defense Strategies | ||
| Details | Website | 2024-11-01 | 62 | Weekly Intelligence Report - 01 Nov 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting | ||
| Details | Website | 2024-10-30 | 154 | Крысиный король: как Android-троян CraxsRAT ворует данные пользователей | Блог F.A.C.C.T. | ||
| Details | Website | 2024-10-29 | 19 | Ransomware: Kill Security | ||
| Details | Website | 2024-10-28 | 21 | Malware Trends Report: Q3, 2024 | ||
| Details | Website | 2024-10-24 | 16 | Talos IR trends Q3 2024: Identity-based operations loom large | ||
| Details | Website | 2024-10-24 | 40 | ValleyRAT Insights: Tactics, Techniques, and Detection Methods | Splunk | ||
| Details | Website | 2024-10-23 | 5 | EDRSilencer — Red Team Tool | ||
| Details | Website | 2024-10-23 | 76 | Embargo ransomware: Rock’n’Rust | ||
| Details | Website | 2024-10-22 | 21 | Malware Trends Report: Q3, 2024 | ||
| Details | Website | 2024-10-22 | 21 | Malware Trends Report: Q3, 2024 - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2024-10-18 | 56 | Vietnamese Threat Actor’s Multi-Layered Strategy On Digital Marketing Professionals - Cyble | ||
| Details | Website | 2024-10-15 | 62 | Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions | ||
| Details | Website | 2024-10-13 | 17 | Fog Ransomware – Technical Analysis | Blog | Dark Atlas | Dark Web Monitoring Platform | Compromised Credentials Monitoring | Account Takeover Prevention Platform | Threat Intelligence | Buguard | ||
| Details | Website | 2024-10-11 | 71 | Weekly Intelligence Report - 11 Oct 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-10-10 | 18 | Technical Analysis of DarkVision RAT | ||
| Details | Website | 2024-10-04 | 32 | LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits | ||
| Details | Website | 2024-10-04 | 100 | Агент SIEM используется в атаках SilentCryptoMiner | ||
| Details | Website | 2024-10-04 | 100 | SIEM agent being used in SilentCryptoMiner attacks |