Common Information
| Type | Value |
|---|---|
| Value |
Disable or Modify Tools - T1562.001 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-10-31 | 18 | More Than Just a RAT: Unveiling NjRAT's MBR Wiping Capabilities | ||
| Details | Website | 2023-10-30 | 154 | NetSupport Intrusion Results in Domain Compromise - The DFIR Report | ||
| Details | Website | 2023-10-25 | 94 | A pirated program downloaded from a torrent site infected hundreds of thousands of users | ||
| Details | Website | 2023-10-23 | 273 | Red Team Tools | ||
| Details | Website | 2023-10-17 | 92 | Anomali Cyber Watch: RomCom 4.0 Targeted Female Politicians, Israeli RedAlert App Impersonated, and More. – Anomali | ||
| Details | Website | 2023-10-10 | 21 | Malware Trends Report: Q3, 2023 - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2023-10-06 | 39 | Threat Labs Security Advisory: New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads | ||
| Details | Website | 2023-09-29 | 62 | PurpleFox Resurfaces Via Spam Emails: A Look Into Its Recent Campaign | ||
| Details | Website | 2023-09-26 | 37 | Exela Stealer Spotted Targeting Social Media Giants | ||
| Details | Website | 2023-09-24 | 49 | Deadglyph: a new advanced backdoor from Stealth Falcon | ||
| Details | Website | 2023-09-20 | 26 | Dark Web Profile: NoEscape Ransomware | ||
| Details | Website | 2023-09-18 | 20 | Ransomware Redefined: RedEnergy Stealer-as-a-Ransomware attacks | ||
| Details | Website | 2023-09-18 | 90 | DBatLoader: Actively Distributing Malwares Targeting European Businesses | ||
| Details | Website | 2023-09-18 | 57 | Emerging Threat: Understanding the PySilon Discord RAT's Versatile Features | ||
| Details | Website | 2023-09-15 | 110 | Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware | ||
| Details | Website | 2023-09-15 | 816 | UNC3944: SMS Phishing, SIM Swapping, and Ransomware Attacks | ||
| Details | Website | 2023-09-06 | 64 | Summer '23 Cryptomining Attacks: Analysis + Recommendations | Wiz Blog | ||
| Details | Website | 2023-09-05 | 41 | Dark Web Profile: Medusa Ransomware (MedusaLocker) | ||
| Details | Website | 2023-08-28 | 42 | Kaspersky Lab’s technical analysis of Lockbit v3 Builder | ||
| Details | Website | 2023-08-25 | 195 | Russia/Ukraine Update - August 2023 | ||
| Details | Website | 2023-08-24 | 119 | Identifying ADHUBLLKA Ransomware: LOLKEK, BIT, OBZ, U2K, TZW Variants | ||
| Details | Website | 2023-08-23 | 70 | Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat | ||
| Details | Website | 2023-08-17 | 30 | Cuba Ransomware Deploys New Tools: BlackBerry Discovers Targets Including Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America | ||
| Details | Website | 2023-08-09 | 56 | AgentTesla Malware Targets Users with Malicious Control Panel File | ||
| Details | Website | 2023-08-07 | 52 | Dark Web Profile: Big Head Ransomware |