EXPLORE
Sign In
← Back to Explore
T1562.001

Disable or Modify Tools

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(...

ContainersIaaSLinuxmacOSNetwork DevicesWindows
300
Detections
4
Sources
30
Threat Actors

BY SOURCE

124sigma97splunk_escu78elastic1crowdstrike_cql

PROCEDURES (113)

General Monitoring31 detections

Auto-extracted: 31 detections for general monitoring

Persist16 detections

Auto-extracted: 16 detections for persist

Registry14 detections

Auto-extracted: 14 detections for registry

Process Creation Monitoring12 detections

Auto-extracted: 12 detections for process creation monitoring

Bypass8 detections

Auto-extracted: 8 detections for bypass

Registry Monitoring7 detections

Auto-extracted: 7 detections for registry monitoring

Aws6 detections

Auto-extracted: 6 detections for aws

Service6 detections

Auto-extracted: 6 detections for service

Inject5 detections

Auto-extracted: 5 detections for inject

Kernel5 detections

Auto-extracted: 5 detections for kernel

Powershell5 detections

Auto-extracted: 5 detections for powershell

Cloud5 detections

Auto-extracted: 5 detections for cloud

Remote5 detections

Auto-extracted: 5 detections for remote

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Driver4 detections

Auto-extracted: 4 detections for driver

Service4 detections

Auto-extracted: 4 detections for service

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Amsi4 detections

Auto-extracted: 4 detections for amsi

Bypass4 detections

Auto-extracted: 4 detections for bypass

Authentication Monitoring4 detections

Auto-extracted: 4 detections for authentication monitoring

Persist3 detections

Auto-extracted: 3 detections for persist

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Cloud Monitoring3 detections

Auto-extracted: 3 detections for cloud monitoring

Ransomware3 detections

Auto-extracted: 3 detections for ransomware

Amsi3 detections

Auto-extracted: 3 detections for amsi

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Amsi3 detections

Auto-extracted: 3 detections for amsi

Tamper3 detections

Auto-extracted: 3 detections for tamper

Registry3 detections

Auto-extracted: 3 detections for registry

Exfiltrat3 detections

Auto-extracted: 3 detections for exfiltrat

Powershell3 detections

Auto-extracted: 3 detections for powershell

Event Log3 detections

Auto-extracted: 3 detections for event log

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Process Access2 detections

Auto-extracted: 2 detections for process access

Tamper2 detections

Auto-extracted: 2 detections for tamper

Driver2 detections

Auto-extracted: 2 detections for driver

Azure2 detections

Auto-extracted: 2 detections for azure

Dns2 detections

Auto-extracted: 2 detections for dns

Privilege2 detections

Auto-extracted: 2 detections for privilege

Event Log2 detections

Auto-extracted: 2 detections for event log

Credential2 detections

Auto-extracted: 2 detections for credential

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Phish2 detections

Auto-extracted: 2 detections for phish

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

C22 detections

Auto-extracted: 2 detections for c2

Kernel2 detections

Auto-extracted: 2 detections for kernel

Office2 detections

Auto-extracted: 2 detections for office

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Unusual2 detections

Auto-extracted: 2 detections for unusual

Service2 detections

Auto-extracted: 2 detections for service

Evasion2 detections

Auto-extracted: 2 detections for evasion

Service Monitoring2 detections

Auto-extracted: 2 detections for service monitoring

Phish2 detections

Auto-extracted: 2 detections for phish

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Wmi2 detections

Auto-extracted: 2 detections for wmi

Startup2 detections

Auto-extracted: 2 detections for startup

Unusual2 detections

Auto-extracted: 2 detections for unusual

Script Block2 detections

Auto-extracted: 2 detections for script block

Privilege2 detections

Auto-extracted: 2 detections for privilege

Lsass1 detections

Auto-extracted: 1 detections for lsass

Evasion1 detections

Auto-extracted: 1 detections for evasion

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Azure1 detections

Auto-extracted: 1 detections for azure

Azure1 detections

Auto-extracted: 1 detections for azure

Evasion1 detections

Auto-extracted: 1 detections for evasion

Kernel1 detections

Auto-extracted: 1 detections for kernel

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Email Security1 detections

Auto-extracted: 1 detections for email security

Remote1 detections

Auto-extracted: 1 detections for remote

Evasion1 detections

Auto-extracted: 1 detections for evasion

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lsass1 detections

Auto-extracted: 1 detections for lsass

Api1 detections

Auto-extracted: 1 detections for api

Download1 detections

Auto-extracted: 1 detections for download

Service1 detections

Auto-extracted: 1 detections for service

Download1 detections

Auto-extracted: 1 detections for download

Api1 detections

Auto-extracted: 1 detections for api

Inject1 detections

Auto-extracted: 1 detections for inject

Script Block1 detections

Auto-extracted: 1 detections for script block

Dump1 detections

Auto-extracted: 1 detections for dump

Remote1 detections

Auto-extracted: 1 detections for remote

Office1 detections

Auto-extracted: 1 detections for office

Download1 detections

Auto-extracted: 1 detections for download

Lsass1 detections

Auto-extracted: 1 detections for lsass

Driver1 detections

Auto-extracted: 1 detections for driver

Bypass1 detections

Auto-extracted: 1 detections for bypass

Http1 detections

Auto-extracted: 1 detections for http

Wmi1 detections

Auto-extracted: 1 detections for wmi

Tamper1 detections

Auto-extracted: 1 detections for tamper

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Kernel1 detections

Auto-extracted: 1 detections for kernel

Dump1 detections

Auto-extracted: 1 detections for dump

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Powershell1 detections

Auto-extracted: 1 detections for powershell

Tamper1 detections

Auto-extracted: 1 detections for tamper

Driver1 detections

Auto-extracted: 1 detections for driver

Lateral1 detections

Auto-extracted: 1 detections for lateral

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Event Log1 detections

Auto-extracted: 1 detections for event log

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Wmi1 detections

Auto-extracted: 1 detections for wmi

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (30)

AgriusAkiraAPT38Aquatic PandaBlackByteBRONZE BUTLERContagious InterviewEmber BearFIN6Gamaredon GroupGorgon GroupINC RansomIndrik SpiderKimsukyLazarus GroupMagic HoundMedusa GroupMuddyWaterPlayPutter PandaRockeSaint BearScattered SpiderTA2541TA505TeamTNTTurlaUNC3886Velvet AntWizard Spider

DETECTIONS (300)

Add or Set Windows Defender Exclusion
splunk_escu
Add SafeBoot Keys Via Reg Utility
sigmahigh
AMSI Bypass Pattern Assembly GetType
sigmahigh
AMSI Disabled via Registry Modification
sigmahigh
Antivirus Filter Driver Disallowed On Dev Drive - Registry
sigmahigh
AppArmor Policy Interface Access
elasticlow
AppArmor Policy Violation Detected
elasticlow
AppArmor Profile Compilation via apparmor_parser
elasticlow
Application Removed from Blocklist in Google Workspace
elasticmedium
ASLR Disabled Via Sysctl or Direct Syscall - Linux
sigmahigh
Attempt to Clear Kernel Ring Buffer
elastichigh
Attempt to Clear Logs via Journalctl
elasticmedium
Attempt to Disable Auditd Service
elasticmedium
Attempt to Disable IPTables or Firewall
elasticmedium
Attempt to Disable Syslog Service
elasticmedium
Attempt to Unload Elastic Endpoint Security Kernel Extension
elastichigh
AWS CloudTrail Log Deleted
elasticmedium
AWS CloudTrail Log Suspended
elasticmedium
AWS CloudWatch Alarm Deletion
elasticmedium
AWS CloudWatch Log Group Deletion
elasticmedium
AWS CloudWatch Log Stream Deletion
elasticmedium
AWS Config Resource Deletion
elasticmedium
AWS Configuration Recorder Stopped
elastichigh
AWS EC2 Serial Console Access Enabled
elastichigh
AWS EventBridge Rule Disabled or Deleted
elasticlow
AWS GuardDuty Detector Deleted Or Updated
sigmahigh
AWS GuardDuty Detector Deletion
elastichigh
AWS GuardDuty Important Change
sigmahigh
AWS GuardDuty Member Account Manipulation
elasticmedium
AWS S3 Bucket Configuration Deletion
elasticlow
Azure Diagnostic Settings Alert Suppression Rule Created or Modified
elasticlow
Azure Diagnostic Settings Deleted
elasticmedium
Azure Kubernetes Events Deleted
sigmamedium
Azure Kubernetes Services (AKS) Kubernetes Events Deleted
elasticmedium
Azure Resource Group Deleted
elasticmedium
Azure VNet Network Watcher Deleted
elasticmedium
Bitbucket Audit Log Configuration Updated
sigmamedium
Bitbucket Global Secret Scanning Rule Deleted
sigmamedium
Bitbucket Global SSH Settings Changed
sigmamedium
Bitbucket Project Secret Scanning Allowlist Added
sigmalow
Bitbucket Secret Scanning Exempt Repository Added
sigmahigh
Bitbucket Secret Scanning Rule Deleted
sigmalow
BPF filter applied using TC
elastichigh
BPF Program Tampering via bpftool
elasticmedium
BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)
crowdstrike_cql
Cisco Configuration Archive Logging Analysis
splunk_escu
Cisco Disabling Logging
sigmahigh
Cisco SNMP Community String Configuration Changes
splunk_escu
Deprecated - M365 Exchange DLP Policy Deleted
elasticmedium
Devcon Execution Disabling VMware VMCI Device
sigmahigh
Disable AMSI Through Registry
splunk_escu
Disable Defender AntiVirus Registry
splunk_escu
Disable Defender BlockAtFirstSeen Feature
splunk_escu
Disable Defender Enhanced Notification
splunk_escu
Disable Defender MpEngine Registry
splunk_escu
Disable Defender Spynet Reporting
splunk_escu
Disable Defender Submit Samples Consent Feature
splunk_escu
Disable ETW Through Registry
splunk_escu
Disable Exploit Guard Network Protection on Windows Defender
sigmamedium
Disable Privacy Settings Experience in Registry
sigmamedium
Disable PUA Protection on Windows Defender
sigmahigh
Disable Registry Tool
splunk_escu
Disable Schedule Task
splunk_escu
Disable Security Tools
sigmamedium
Disable Show Hidden Files
splunk_escu
Disable Tamper Protection on Windows Defender
sigmamedium
Disable Windows App Hotkeys
splunk_escu
Disable Windows Behavior Monitoring
splunk_escu
Disable Windows Defender AV Security Monitoring
sigmahigh
Disable Windows Defender Functionalities Via Registry Keys
sigmahigh
Disable Windows SmartScreen Protection
splunk_escu
Disable-WindowsOptionalFeature Command PowerShell
sigmahigh
Disabled IE Security Features
sigmahigh
Disabled Volume Snapshots
sigmahigh
Disabled Windows Defender Eventlog
sigmahigh
Disabling CMD Application
splunk_escu
Disabling ControlPanel
splunk_escu
Disabling Defender Services
splunk_escu
Disabling Firewall with Netsh
splunk_escu
Disabling FolderOptions Windows Feature
splunk_escu
Disabling Lsa Protection via Registry Modification
elastichigh
Disabling NoRun Windows App
splunk_escu
Disabling Task Manager
splunk_escu
Disabling User Account Control via Registry Modification
elasticmedium
Disabling Windows Defender Security Settings via PowerShell
elasticmedium
Disabling Windows Defender WMI Autologger Session via Reg.exe
sigmahigh
Dism Remove Online Package
sigmamedium
DNS Global Query Block List Modified or Disabled
elasticmedium
Elastic Agent Service Terminated
elasticmedium
Elastic Defend Alert Followed by Telemetry Loss
elastichigh
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
sigmamedium
ESXi Download Errors
splunk_escu
ESXi Syslog Configuration Change Via ESXCLI
sigmamedium
Excessive number of service control start as disabled
splunk_escu
Excessive Usage Of Taskkill
splunk_escu
Folder Removed From Exploit Guard ProtectedFolders List - Registry
sigmahigh
Gatekeeper Override and Execution
elastichigh
GitHub App Deleted
elasticlow
GitHub Enterprise Delete Branch Ruleset
splunk_escu
GitHub Enterprise Disable 2FA Requirement
splunk_escu
GitHub Enterprise Disable Classic Branch Protection Rule
splunk_escu
GitHub Enterprise Disable Dependabot
splunk_escu
GitHub Enterprise Disable IP Allow List
splunk_escu
GitHub Enterprise Register Self Hosted Runner
splunk_escu
GitHub Organizations Delete Branch Ruleset
splunk_escu
GitHub Organizations Disable 2FA Requirement
splunk_escu
GitHub Organizations Disable Classic Branch Protection Rule
splunk_escu
GitHub Organizations Disable Dependabot
splunk_escu
GitHub Protected Branch Settings Changed
elasticmedium
Github Push Protection Bypass Detected
sigmalow
Github Push Protection Disabled
sigmahigh
GitHub Secret Scanning Disabled
elasticlow
Github Secret Scanning Feature Disabled
sigmahigh
Google Workspace Bitlocker Setting Disabled
elasticmedium
Google Workspace Restrictions for Marketplace Modified to Allow Any App
elasticmedium
HackTool - CobaltStrike BOF Injection Pattern
sigmahigh
Hacktool - EDR-Freeze Execution
sigmahigh
HackTool - PowerTool Execution
sigmahigh
HackTool - Stracciatella Execution
sigmahigh
Hide User Account From Sign-In Screen
splunk_escu
High Number of Process and/or Service Terminations
elasticmedium
High Number of Process Terminations
elasticmedium
Hypervisor Enforced Paging Translation Disabled
sigmahigh
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
sigmahigh
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
sigmahigh
Kernel Module Removal
elasticlow
Kill Command Execution
elasticlow
Linux Impair Defenses Process Kill
splunk_escu
Load Of RstrtMgr.DLL By A Suspicious Process
sigmahigh
Load Of RstrtMgr.DLL By An Uncommon Process
sigmalow
M365 Copilot Jailbreak Attempts
splunk_escu
M365 Exchange Anti-Phish Policy Deleted
elasticmedium
M365 Exchange Anti-Phish Rule Modification
elasticmedium
M365 Exchange DKIM Signing Configuration Disabled
elasticmedium
M365 Exchange Email Safe Attachment Rule Disabled
elasticlow
M365 Exchange Email Safe Link Policy Disabled
elasticmedium
M365 Exchange Mail Flow Transport Rule Modified
elasticmedium
M365 Exchange Mailbox Audit Logging Bypass Added
elasticmedium
M365 Exchange Malware Filter Policy Deleted
elasticmedium
M365 Exchange Malware Filter Rule Modified
elasticmedium
M365 SharePoint Site Sharing Policy Weakened
elasticmedium
Microsoft Defender Tamper Protection Trigger
sigmahigh
Microsoft Intune DeviceManagementConfigurationPolicies
splunk_escu
Microsoft Malware Protection Engine Crash
sigmahigh
Microsoft Malware Protection Engine Crash - WER
sigmahigh
Microsoft Office Protected View Disabled
sigmahigh
Microsoft Windows Defender Tampering
elasticmedium
Modification of AmsiEnable Registry Key
elastichigh
Modification of Safari Settings via Defaults Command
elasticmedium
NetNTLM Downgrade Attack
sigmahigh
NetNTLM Downgrade Attack - Registry
sigmahigh
O365 Email Security Feature Changed
splunk_escu
Obfuscated PowerShell OneLiner Execution
sigmahigh
Potential AMSI Bypass Script Using NULL Bits
sigmamedium
Potential AMSI Bypass Using NULL Bits
sigmamedium
Potential AMSI Bypass Via .NET Reflection
sigmahigh
Potential AMSI COM Server Hijacking
sigmahigh
Potential Antimalware Scan Interface Bypass via PowerShell
elastichigh
Potential Disabling of AppArmor
elastichigh
Potential Disabling of SELinux
elastichigh
Potential Evasion via Filter Manager
elasticmedium
Potential Evasion via Windows Filtering Platform
elasticmedium
Potential Privacy Control Bypass via TCCDB Modification
elasticmedium
Potential Privileged System Service Operation - SeLoadDriverPrivilege
sigmamedium
Potential Tampering With Security Products Via WMIC
sigmahigh
Powershell Base64 Encoded MpPreference Cmdlet
sigmahigh
Powershell Defender Disable Scan Feature
sigmahigh
Powershell Defender Exclusion
sigmamedium
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
sigmahigh
Powershell Disable Security Monitoring
splunk_escu
Powershell Remove Windows Defender Directory
splunk_escu
PowerShell Script with Windows Defender Tampering Capabilities
elasticmedium
Powershell Windows Defender Exclusion Commands
splunk_escu
PPL Tampering Via WerFaultSecure
sigmahigh
Process Kill Base On File Path
splunk_escu
PUA - CleanWipe Execution
sigmahigh
Python Function Execution Security Warning Disabled In Excel
sigmahigh
Python Function Execution Security Warning Disabled In Excel - Registry
sigmahigh
Quarantine Attrib Removed by Unsigned or Untrusted Process
elasticmedium
Raccine Uninstall
sigmahigh
Reg Add Suspicious Paths
sigmahigh
Removal Of AMSI Provider Registry Keys
sigmahigh
SafeBoot Registry Key Deleted Via Reg.EXE
sigmahigh
Scheduled Tasks AT Command Enabled
elasticmedium
Scripted Diagnostics Turn Off Check Enabled - Registry
sigmamedium
Security Service Disabled Via Reg.EXE
sigmahigh
SELinux Configuration Creation or Renaming
elasticlow
Service Registry Key Deleted Via Reg.EXE
sigmahigh
Service StartupType Change Via PowerShell Set-Service
sigmamedium
Service StartupType Change Via Sc.EXE
sigmamedium
SoftwareUpdate Preferences Modification
elasticmedium
SolarWinds Process Disabling Services via Registry
elasticmedium
Suspicious Antimalware Scan Interface DLL
elastichigh
Suspicious Application Allowed Through Exploit Guard
sigmahigh
Suspicious Kernel Feature Activity
elasticmedium
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
sigmahigh
Suspicious Path In Keyboard Layout IME File Registry Value
sigmahigh
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
sigmahigh
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
sigmahigh
Suspicious PROCEXP152.sys File Created In TMP
sigmamedium