EXPLORE
Sign In
← Back to Explore
T1685

Disable or Modify Tools

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting ...

ContainersESXiIaaSLinuxmacOSNetwork DevicesWindows
159
Detections
1
Sources
32
Threat Actors

BY SOURCE

159sigma

PROCEDURES (54)

General Monitoring21 detections

Auto-extracted: 21 detections for general monitoring

Process Creation Monitoring14 detections

Auto-extracted: 14 detections for process creation monitoring

Registry Monitoring10 detections

Auto-extracted: 10 detections for registry monitoring

Registry9 detections

Auto-extracted: 9 detections for registry

Powershell7 detections

Auto-extracted: 7 detections for powershell

Cloud Monitoring5 detections

Auto-extracted: 5 detections for cloud monitoring

Driver4 detections

Auto-extracted: 4 detections for driver

Evasion4 detections

Auto-extracted: 4 detections for evasion

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Ransomware4 detections

Auto-extracted: 4 detections for ransomware

Service4 detections

Auto-extracted: 4 detections for service

Amsi4 detections

Auto-extracted: 4 detections for amsi

Wmi3 detections

Auto-extracted: 3 detections for wmi

Amsi3 detections

Auto-extracted: 3 detections for amsi

Powershell3 detections

Auto-extracted: 3 detections for powershell

Registry3 detections

Auto-extracted: 3 detections for registry

Service3 detections

Auto-extracted: 3 detections for service

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Tamper3 detections

Auto-extracted: 3 detections for tamper

Bypass3 detections

Auto-extracted: 3 detections for bypass

Driver2 detections

Auto-extracted: 2 detections for driver

Startup2 detections

Auto-extracted: 2 detections for startup

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Amsi2 detections

Auto-extracted: 2 detections for amsi

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Tamper2 detections

Auto-extracted: 2 detections for tamper

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Persist2 detections

Auto-extracted: 2 detections for persist

Service2 detections

Auto-extracted: 2 detections for service

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Kernel1 detections

Auto-extracted: 1 detections for kernel

Dump1 detections

Auto-extracted: 1 detections for dump

Http1 detections

Auto-extracted: 1 detections for http

Process Access1 detections

Auto-extracted: 1 detections for process access

Lsass1 detections

Auto-extracted: 1 detections for lsass

Http1 detections

Auto-extracted: 1 detections for http

Powershell1 detections

Auto-extracted: 1 detections for powershell

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Evasion1 detections

Auto-extracted: 1 detections for evasion

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Remote1 detections

Auto-extracted: 1 detections for remote

Bypass1 detections

Auto-extracted: 1 detections for bypass

Process Access Monitoring1 detections

Auto-extracted: 1 detections for process access monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Kernel1 detections

Auto-extracted: 1 detections for kernel

Remote1 detections

Auto-extracted: 1 detections for remote

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Lsass1 detections

Auto-extracted: 1 detections for lsass

Http1 detections

Auto-extracted: 1 detections for http

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kernel1 detections

Auto-extracted: 1 detections for kernel

THREAT ACTORS (32)

AgriusAkiraAPT38APT41APT5Aquatic PandaBlackByteBRONZE BUTLERContagious InterviewFIN6Gamaredon GroupGorgon GroupINC RansomIndrik SpiderKimsukyLazarus GroupMagic HoundMedusa GroupMirrorFaceMuddyWaterPlayPutter PandaRockeSaint BearScattered SpiderTA2541TA505TeamTNTTurlaUNC3886Velvet AntWizard Spider

DETECTIONS (159)

Add SafeBoot Keys Via Reg Utility
sigmahigh
AMSI Bypass Pattern Assembly GetType
sigmahigh
AMSI Disabled via Registry Modification
sigmahigh
Antivirus Filter Driver Disallowed On Dev Drive - Registry
sigmahigh
ASLR Disabled Via Sysctl or Direct Syscall - Linux
sigmahigh
Auditing Configuration Changes on Linux Host
sigmahigh
AWS GuardDuty Detector Deleted Or Updated
sigmahigh
AWS GuardDuty Important Change
sigmahigh
AWS SecurityHub Findings Evasion
sigmahigh
Azure Kubernetes Events Deleted
sigmamedium
Bitbucket Audit Log Configuration Updated
sigmamedium
Bitbucket Global Secret Scanning Rule Deleted
sigmamedium
Bitbucket Global SSH Settings Changed
sigmamedium
Bitbucket Project Secret Scanning Allowlist Added
sigmalow
Bitbucket Secret Scanning Exempt Repository Added
sigmahigh
Bitbucket Secret Scanning Rule Deleted
sigmalow
Cisco Disabling Logging
sigmahigh
Cisco Dot1x Disabled
sigmamedium
Devcon Execution Disabling VMware VMCI Device
sigmahigh
Disable Exploit Guard Network Protection on Windows Defender
sigmamedium
Disable of ETW Trace - Powershell
sigmahigh
Disable Or Stop Services
sigmamedium
Disable Privacy Settings Experience in Registry
sigmamedium
Disable PUA Protection on Windows Defender
sigmahigh
Disable Security Tools
sigmamedium
Disable Tamper Protection on Windows Defender
sigmamedium
Disable Windows Defender AV Security Monitoring
sigmahigh
Disable Windows Defender Functionalities Via Registry Keys
sigmahigh
Disable-WindowsOptionalFeature Command PowerShell
sigmahigh
Disabled IE Security Features
sigmahigh
Disabled Volume Snapshots
sigmahigh
Disabled Windows Defender Eventlog
sigmahigh
Disabling Windows Defender WMI Autologger Session via Reg.exe
sigmahigh
Dism Remove Online Package
sigmamedium
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
sigmamedium
ESXi Syslog Configuration Change Via ESXCLI
sigmamedium
ETW Logging Disabled For rpcrt4.dll
sigmalow
ETW Logging Disabled For SCM
sigmalow
ETW Logging Disabled In .NET Processes - Registry
sigmahigh
ETW Logging Disabled In .NET Processes - Sysmon Registry
sigmahigh
ETW Logging Tamper In .NET Processes Via CommandLine
sigmahigh
ETW Trace Evasion Activity
sigmahigh
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
Folder Removed From Exploit Guard ProtectedFolders List - Registry
sigmahigh
FortiGate - Firewall Address Object Added
sigmamedium
FortiGate - New Firewall Policy Added
sigmamedium
Github Push Protection Bypass Detected
sigmalow
Github Push Protection Disabled
sigmahigh
Github Secret Scanning Feature Disabled
sigmahigh
Google Cloud Firewall Modified or Deleted
sigmamedium
HackTool - CobaltStrike BOF Injection Pattern
sigmahigh
Hacktool - EDR-Freeze Execution
sigmahigh
HackTool - EDRSilencer Execution
sigmahigh
HackTool - EDRSilencer Execution - Filter Added
sigmahigh
HackTool - PowerTool Execution
sigmahigh
HackTool - Stracciatella Execution
sigmahigh
Hide Schedule Task Via Index Value Tamper
sigmahigh
Hypervisor Enforced Paging Translation Disabled
sigmahigh
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
sigmahigh
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
sigmahigh
Load Of RstrtMgr.DLL By A Suspicious Process
sigmahigh
Load Of RstrtMgr.DLL By An Uncommon Process
sigmalow
Logging Configuration Changes on Linux Host
sigmahigh
Microsoft Defender Tamper Protection Trigger
sigmahigh
Microsoft Malware Protection Engine Crash
sigmahigh
Microsoft Malware Protection Engine Crash - WER
sigmahigh
Microsoft Office Protected View Disabled
sigmahigh
NetNTLM Downgrade Attack
sigmahigh
NetNTLM Downgrade Attack - Registry
sigmahigh
Obfuscated PowerShell OneLiner Execution
sigmahigh
Okta User Session Start Via An Anonymising Proxy Service
sigmahigh
Potential AMSI Bypass Script Using NULL Bits
sigmamedium
Potential AMSI Bypass Using NULL Bits
sigmamedium
Potential AMSI Bypass Via .NET Reflection
sigmahigh
Potential AMSI COM Server Hijacking
sigmahigh
Potential Privileged System Service Operation - SeLoadDriverPrivilege
sigmamedium
Potential Suspicious Activity Using SeCEdit
sigmamedium
Potential Tampering With Security Products Via WMIC
sigmahigh
Potential Windows Defender Tampering Via Wmic.EXE
sigmahigh
Powershell Base64 Encoded MpPreference Cmdlet
sigmahigh
Powershell Defender Disable Scan Feature
sigmahigh
Powershell Defender Exclusion
sigmamedium
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
sigmahigh
PPL Tampering Via WerFaultSecure
sigmahigh
PUA - CleanWipe Execution
sigmahigh
Python Function Execution Security Warning Disabled In Excel
sigmahigh
Python Function Execution Security Warning Disabled In Excel - Registry
sigmahigh
Raccine Uninstall
sigmahigh
Reg Add Suspicious Paths
sigmahigh
Removal Of AMSI Provider Registry Keys
sigmahigh
Removal Of Index Value to Hide Schedule Task - Registry
sigmamedium
Removal Of SD Value to Hide Schedule Task - Registry
sigmamedium
SafeBoot Registry Key Deleted Via Reg.EXE
sigmahigh
Scripted Diagnostics Turn Off Check Enabled - Registry
sigmamedium
Security Service Disabled Via Reg.EXE
sigmahigh
Service Registry Key Deleted Via Reg.EXE
sigmahigh
Service Startup Type Change Via Wmic.EXE
sigmamedium
Service StartupType Change Via PowerShell Set-Service
sigmamedium
Service StartupType Change Via Sc.EXE
sigmamedium
Suspicious Application Allowed Through Exploit Guard
sigmahigh
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
sigmahigh
Suspicious Path In Keyboard Layout IME File Registry Value
sigmahigh
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
sigmahigh
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
sigmahigh
Suspicious PROCEXP152.sys File Created In TMP
sigmamedium
Suspicious Service Installed
sigmamedium
Suspicious Uninstall of Windows Defender Feature via PowerShell
sigmahigh
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
sigmamedium
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
sigmahigh
Suspicious Windows Service Tampering
sigmahigh
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
sigmahigh
Sysinternals PsSuspend Suspicious Execution
sigmahigh
Sysmon Application Crashed
sigmahigh
Sysmon Configuration Update
sigmamedium
Sysmon Driver Altitude Change
sigmahigh
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
Tamper Windows Defender - PSClassic
sigmahigh
Tamper Windows Defender - ScriptBlockLogging
sigmahigh
Tamper Windows Defender Remove-MpPreference
sigmahigh
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
sigmahigh
Tamper With Sophos AV Registry Keys
sigmahigh
Taskkill Symantec Endpoint Protection
sigmahigh
Terminate Linux Process Via Kill
sigmamedium
Uncommon Extension In Keyboard Layout IME File Registry Value
sigmahigh
Uninstall Crowdstrike Falcon Sensor
sigmahigh
Uninstall Sysinternals Sysmon
sigmahigh
Vulnerable Driver Blocklist Registry Tampering Via CommandLine
sigmahigh
WDAC Policy File Creation In CodeIntegrity Folder
sigmamedium
Weak Encryption Enabled and Kerberoast
sigmahigh
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
sigmamedium
WFP Filter Added via Registry
sigmamedium
Win Defender Restored Quarantine File
sigmahigh
Windows AMSI Related Registry Tampering Via CommandLine
sigmahigh
Windows Credential Guard Disabled - Registry
sigmahigh
Windows Credential Guard Registry Tampering Via CommandLine
sigmahigh
Windows Credential Guard Related Registry Value Deleted - Registry
sigmahigh
Windows Defender Configuration Changes
sigmahigh
Windows Defender Context Menu Removed
sigmahigh
Windows Defender Definition Files Removed
sigmahigh
Windows Defender Exclusion List Modified
sigmamedium
Windows Defender Exclusion Registry Key - Write Access Requested
sigmamedium
Windows Defender Exclusions Added
sigmamedium
Windows Defender Exclusions Added - PowerShell
sigmamedium
Windows Defender Exclusions Added - Registry
sigmamedium
Windows Defender Exploit Guard Tamper
sigmahigh
Windows Defender Grace Period Expired
sigmahigh
Windows Defender Malware And PUA Scanning Disabled
sigmahigh
Windows Defender Real-time Protection Disabled
sigmahigh
Windows Defender Real-Time Protection Failure/Restart
sigmamedium
Windows Defender Service Disabled - Registry
sigmahigh
Windows Defender Submit Sample Feature Disabled
sigmalow
Windows Defender Threat Detection Service Disabled
sigmamedium
Windows Defender Threat Severity Default Action Modified
sigmahigh
Windows Defender Virus Scanning Feature Disabled
sigmahigh
Windows Filtering Platform Blocked Connection From EDR Agent Binary
sigmahigh
Windows Firewall Disabled via PowerShell
sigmamedium
Windows Hypervisor Enforced Code Integrity Disabled
sigmahigh
Windows Vulnerable Driver Blocklist Disabled
sigmahigh
Write Protect For Storage Disabled
sigmamedium