Common Information
| Type | Value |
|---|---|
| Value |
Disable or Modify Tools - T1562.001 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-01-03 | 43 | Know Your Adversary: Cuba Ransomware | ||
| Details | Website | 2023-01-03 | 13 | Cloud Forensic Write-up Investigating Cloud and Container Compromised Simulator using Cado Security… | ||
| Details | Website | 2023-01-02 | 47 | Dark Web Profile: MuddyWater APT Group - SOCRadar | ||
| Details | Website | 2022-12-24 | 43 | Know Your Adversary: Cuba Ransomware | ||
| Details | Website | 2022-12-20 | 133 | Russia/Ukraine Update - December 2022 | ||
| Details | Website | 2022-12-19 | 595 | Blog | ||
| Details | Website | 2022-12-13 | 47 | Venom RAT expands its operations by adding a Stealer Module | ||
| Details | Website | 2022-12-08 | 76 | CISA Alert AA22-335A: Cuba Ransomware Analysis, Simulation, TTPs & IOCs | ||
| Details | Website | 2022-12-06 | 78 | Vice Society: Profiling a Persistent Threat to the Education Sector | ||
| Details | Website | 2022-12-06 | 26 | Operation Bleeding Bear — Elastic Security Labs | ||
| Details | Website | 2022-12-01 | 47 | DuckLogs - New Malware Strain Spotted In The Wild | ||
| Details | Website | 2022-11-29 | 132 | Russia/Ukraine Update - November 2022 | ||
| Details | Website | 2022-11-25 | 49 | Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester | CISA | ||
| Details | Website | 2022-11-18 | 19 | U.S. Federal Network Hacked – APT Hackers Compromised Domain Controller | ||
| Details | Website | 2022-11-16 | 32 | Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester | CISA | ||
| Details | Website | 2022-11-02 | 222 | New Laplas Clipper Distributed via SmokeLoader | ||
| Details | Website | 2022-10-27 | 37 | Ransomware Spotlight: BlackCat - Security News | ||
| Details | Website | 2022-10-18 | 38 | APT27 - One Year To Exfiltrate Them All: Intrusion In-Depth Analysis | ||
| Details | Website | 2022-10-14 | 39 | Online File Converter Phishing Page Spreads RedLine Stealer | ||
| Details | Website | 2022-10-05 | 29 | SafeBreach Coverage for US-CERT Alert (AA22-277A) – Use of Impacket and CovalentStealer to Steal Sensitive Data | ||
| Details | Website | 2022-10-04 | 34 | Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization | CISA | ||
| Details | Website | 2022-09-29 | 68 | Russia/Ukraine Update - September 2022 | ||
| Details | Website | 2022-09-26 | 26 | BlackMatter Ransomware Analysis; The Dark Side Returns | ||
| Details | Website | 2022-09-22 | 24 | Hunting attackers using Microsoft Protection Logs (MPLogs)! | ||
| Details | Website | 2022-09-15 | 41 | Erbium Stealer, a new Infostealer enters the scene |