Common Information
| Type | Value |
|---|---|
| Value |
Disable or Modify Tools - T1562.001 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware) Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging) On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369) In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor. Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk) Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-09-13 | 78 | ProxyShell exploitation leads to BlackByte ransomware - Red Canary | ||
| Details | Website | 2022-09-12 | 19 | What is Crypto Malware and How to Defend Against Cryptojacking? - SOC Prime | ||
| Details | Website | 2022-09-06 | 54 | Mythic Case Study: Assessing Common Offensive Security Tools | ||
| Details | Website | 2022-08-31 | 156 | Ryuk Ransomware: History, Timeline, and Adversary Simulation - FourCore | ||
| Details | Website | 2022-08-25 | 40 | Threat Assessment: Black Basta Ransomware | ||
| Details | Website | 2022-08-25 | 66 | Russia/Ukraine Update - August 2022 | ||
| Details | Website | 2022-07-25 | 104 | Shelob Moonlight – Spinning a Larger Web - Cynet | ||
| Details | Website | 2022-07-21 | 12 | Identifying detection opportunities in cryptojacking attacks | ||
| Details | Website | 2022-07-05 | 27 | Ransomware Spotlight: BlackByte - Security News - Trend Micro MY | ||
| Details | Website | 2022-06-30 | 65 | UNKNOWN | ||
| Details | Website | 2022-06-10 | 25 | China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware | ||
| Details | Website | 2022-06-09 | 31 | LockBit 2.0: How This RaaS Operates and How to Protect Against It | ||
| Details | Website | 2022-06-09 | 31 | Lyceum .NET DNS Backdoor | Zscaler | ||
| Details | Website | 2022-06-07 | 37 | BlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive | ||
| Details | Website | 2022-06-02 | 99 | To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant | ||
| Details | Website | 2022-06-02 | 63 | LockBit 3.0 Ransomware Unlocked | ||
| Details | Website | 2022-06-02 | 29 | 8Base Ransomware: A Heavy Hitting Player | ||
| Details | Website | 2022-05-17 | 21 | Ransomware Spotlight: RansomEXX - Security News | ||
| Details | Website | 2022-05-09 | 96 | SEO Poisoning – A Gootloader Story | ||
| Details | Website | 2022-04-28 | 84 | An Overview of the Increasing Wiper Malware Threat | FortiGuard Labs | ||
| Details | Website | 2022-04-27 | 57 | UNC2452 Merged into APT29 | Russia-Based Espionage Group | ||
| Details | Website | 2022-04-07 | 32 | Looking Inside Pandora’s Box | FortiGuard Labs | ||
| Details | Website | 2022-04-04 | 113 | Stolen Images Campaign Ends in Conti Ransomware | ||
| Details | Website | 2022-03-25 | 125 | Tales of Ransomwares 2021 | ||
| Details | Website | 2022-03-23 | 67 | Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants |