EXPLORE
← Back to Explore
T1685

Disable or Modify Tools

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting ...

ContainersESXiIaaSLinuxmacOSNetwork DevicesWindows
279
Detections
2
Sources
32
Threat Actors

BY SOURCE

160sigma119splunk_escu

PROCEDURES (95)

General Monitoring19 detections

Auto-extracted: 19 detections for general monitoring

Process Creation Monitoring14 detections

Auto-extracted: 14 detections for process creation monitoring

Registry Monitoring10 detections

Auto-extracted: 10 detections for registry monitoring

Registry9 detections

Auto-extracted: 9 detections for registry

Powershell7 detections

Auto-extracted: 7 detections for powershell

Ransomware5 detections

Auto-extracted: 5 detections for ransomware

Cloud Monitoring5 detections

Auto-extracted: 5 detections for cloud monitoring

Exfiltrat4 detections

Auto-extracted: 4 detections for exfiltrat

Driver4 detections

Auto-extracted: 4 detections for driver

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Evasion4 detections

Auto-extracted: 4 detections for evasion

Service4 detections

Auto-extracted: 4 detections for service

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Amsi4 detections

Auto-extracted: 4 detections for amsi

Service3 detections

Auto-extracted: 3 detections for service

Tamper3 detections

Auto-extracted: 3 detections for tamper

Startup3 detections

Auto-extracted: 3 detections for startup

Script Block3 detections

Auto-extracted: 3 detections for script block

Registry3 detections

Auto-extracted: 3 detections for registry

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Wmi3 detections

Auto-extracted: 3 detections for wmi

Powershell3 detections

Auto-extracted: 3 detections for powershell

Service3 detections

Auto-extracted: 3 detections for service

Amsi3 detections

Auto-extracted: 3 detections for amsi

Amsi3 detections

Auto-extracted: 3 detections for amsi

Bypass3 detections

Auto-extracted: 3 detections for bypass

Process Access2 detections

Auto-extracted: 2 detections for process access

Driver2 detections

Auto-extracted: 2 detections for driver

Startup2 detections

Auto-extracted: 2 detections for startup

Service2 detections

Auto-extracted: 2 detections for service

Amsi2 detections

Auto-extracted: 2 detections for amsi

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Persist2 detections

Auto-extracted: 2 detections for persist

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Tamper2 detections

Auto-extracted: 2 detections for tamper

Tamper2 detections

Auto-extracted: 2 detections for tamper

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Driver2 detections

Auto-extracted: 2 detections for driver

Wmi2 detections

Auto-extracted: 2 detections for wmi

Event Log2 detections

Auto-extracted: 2 detections for event log

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Wmi2 detections

Auto-extracted: 2 detections for wmi

Event Log2 detections

Auto-extracted: 2 detections for event log

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Kernel2 detections

Auto-extracted: 2 detections for kernel

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

Bypass1 detections

Auto-extracted: 1 detections for bypass

Process Access Monitoring1 detections

Auto-extracted: 1 detections for process access monitoring

Kernel1 detections

Auto-extracted: 1 detections for kernel

Persist1 detections

Auto-extracted: 1 detections for persist

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Download1 detections

Auto-extracted: 1 detections for download

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lsass1 detections

Auto-extracted: 1 detections for lsass

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Kernel1 detections

Auto-extracted: 1 detections for kernel

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Lsass1 detections

Auto-extracted: 1 detections for lsass

Http1 detections

Auto-extracted: 1 detections for http

Dump1 detections

Auto-extracted: 1 detections for dump

Http1 detections

Auto-extracted: 1 detections for http

Process Access1 detections

Auto-extracted: 1 detections for process access

Lsass1 detections

Auto-extracted: 1 detections for lsass

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Evasion1 detections

Auto-extracted: 1 detections for evasion

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kernel1 detections

Auto-extracted: 1 detections for kernel

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Http1 detections

Auto-extracted: 1 detections for http

Powershell1 detections

Auto-extracted: 1 detections for powershell

Http1 detections

Auto-extracted: 1 detections for http

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Driver1 detections

Auto-extracted: 1 detections for driver

Lateral1 detections

Auto-extracted: 1 detections for lateral

Evasion1 detections

Auto-extracted: 1 detections for evasion

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Event Log1 detections

Auto-extracted: 1 detections for event log

Lsass1 detections

Auto-extracted: 1 detections for lsass

Powershell1 detections

Auto-extracted: 1 detections for powershell

Wmi1 detections

Auto-extracted: 1 detections for wmi

Api1 detections

Auto-extracted: 1 detections for api

DETECTIONS (279)

Add or Set Windows Defender Exclusion
splunk_escu
Add SafeBoot Keys Via Reg Utility
sigmahigh
AMSI Bypass Pattern Assembly GetType
sigmahigh
AMSI Disabled via Registry Modification
sigmahigh
Antivirus Filter Driver Disallowed On Dev Drive - Registry
sigmahigh
ASLR Disabled Via Sysctl or Direct Syscall - Linux
sigmahigh
Auditing Configuration Changes on Linux Host
sigmahigh
AWS GuardDuty Detector Deleted Or Updated
sigmahigh
AWS GuardDuty Important Change
sigmahigh
AWS SecurityHub Findings Evasion
sigmahigh
Azure AD Block User Consent For Risky Apps Disabled
splunk_escu
Azure Kubernetes Events Deleted
sigmamedium
Bitbucket Audit Log Configuration Updated
sigmamedium
Bitbucket Global Secret Scanning Rule Deleted
sigmamedium
Bitbucket Global SSH Settings Changed
sigmamedium
Bitbucket Project Secret Scanning Allowlist Added
sigmalow
Bitbucket Secret Scanning Exempt Repository Added
sigmahigh
Bitbucket Secret Scanning Rule Deleted
sigmalow
Cisco ASA - Core Syslog Message Volume Drop
splunk_escu
Cisco ASA - Logging Disabled via CLI
splunk_escu
Cisco ASA - Logging Filters Configuration Tampering
splunk_escu
Cisco Configuration Archive Logging Analysis
splunk_escu
Cisco Disabling Logging
sigmahigh
Cisco Dot1x Disabled
sigmamedium
Cisco SNMP Community String Configuration Changes
splunk_escu
Devcon Execution Disabling VMware VMCI Device
sigmahigh
Disable AMSI Through Registry
splunk_escu
Disable Defender AntiVirus Registry
splunk_escu
Disable Defender BlockAtFirstSeen Feature
splunk_escu
Disable Defender Enhanced Notification
splunk_escu
Disable Defender MpEngine Registry
splunk_escu
Disable Defender Spynet Reporting
splunk_escu
Disable Defender Submit Samples Consent Feature
splunk_escu
Disable ETW Through Registry
splunk_escu
Disable Exploit Guard Network Protection on Windows Defender
sigmamedium
Disable of ETW Trace - Powershell
sigmahigh
Disable Or Stop Services
sigmamedium
Disable Privacy Settings Experience in Registry
sigmamedium
Disable PUA Protection on Windows Defender
sigmahigh
Disable Registry Tool
splunk_escu
Disable Schedule Task
splunk_escu
Disable Security Tools
sigmamedium
Disable Show Hidden Files
splunk_escu
Disable Tamper Protection on Windows Defender
sigmamedium
Disable Windows App Hotkeys
splunk_escu
Disable Windows Behavior Monitoring
splunk_escu
Disable Windows Defender AV Security Monitoring
sigmahigh
Disable Windows Defender Functionalities Via Registry Keys
sigmahigh
Disable Windows SmartScreen Protection
splunk_escu
Disable-WindowsOptionalFeature Command PowerShell
sigmahigh
Disabled IE Security Features
sigmahigh
Disabled Volume Snapshots
sigmahigh
Disabled Windows Defender Eventlog
sigmahigh
Disabling CMD Application
splunk_escu
Disabling ControlPanel
splunk_escu
Disabling Defender Services
splunk_escu
Disabling Firewall with Netsh
splunk_escu
Disabling FolderOptions Windows Feature
splunk_escu
Disabling NoRun Windows App
splunk_escu
Disabling Task Manager
splunk_escu
Disabling Windows Defender WMI Autologger Session via Reg.exe
sigmahigh
Dism Remove Online Package
sigmamedium
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
sigmamedium
ESXi Download Errors
splunk_escu
ESXi Encryption Settings Modified
splunk_escu
ESXi Lockdown Mode Disabled
splunk_escu
ESXi Loghost Config Tampering
splunk_escu
ESXi Syslog Configuration Change Via ESXCLI
sigmamedium
ESXi VIB Acceptance Level Tampering
splunk_escu
ETW Logging Disabled For rpcrt4.dll
sigmalow
ETW Logging Disabled For SCM
sigmalow
ETW Logging Disabled In .NET Processes - Registry
sigmahigh
ETW Logging Disabled In .NET Processes - Sysmon Registry
sigmahigh
ETW Logging Tamper In .NET Processes Via CommandLine
sigmahigh
ETW Registry Disabled
splunk_escu
ETW Trace Evasion Activity
sigmahigh
Excessive number of service control start as disabled
splunk_escu
Excessive Usage Of Taskkill
splunk_escu
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
Folder Removed From Exploit Guard ProtectedFolders List - Registry
sigmahigh
FortiGate - Firewall Address Object Added
sigmamedium
FortiGate - New Firewall Policy Added
sigmamedium
GitHub Enterprise Delete Branch Ruleset
splunk_escu
GitHub Enterprise Disable 2FA Requirement
splunk_escu
GitHub Enterprise Disable Classic Branch Protection Rule
splunk_escu
GitHub Enterprise Disable Dependabot
splunk_escu
GitHub Enterprise Disable IP Allow List
splunk_escu
GitHub Enterprise Register Self Hosted Runner
splunk_escu
GitHub Organizations Delete Branch Ruleset
splunk_escu
GitHub Organizations Disable 2FA Requirement
splunk_escu
GitHub Organizations Disable Classic Branch Protection Rule
splunk_escu
GitHub Organizations Disable Dependabot
splunk_escu
Github Push Protection Bypass Detected
sigmalow
Github Push Protection Disabled
sigmahigh
Github Secret Scanning Feature Disabled
sigmahigh
Google Cloud Firewall Modified or Deleted
sigmamedium
HackTool - CobaltStrike BOF Injection Pattern
sigmahigh
Hacktool - EDR-Freeze Execution
sigmahigh
HackTool - EDRSilencer Execution
sigmahigh
HackTool - EDRSilencer Execution - Filter Added
sigmahigh
HackTool - PowerTool Execution
sigmahigh
HackTool - Stracciatella Execution
sigmahigh
Hide Schedule Task Via Index Value Tamper
sigmahigh
Hide User Account From Sign-In Screen
splunk_escu
Hypervisor Enforced Paging Translation Disabled
sigmahigh
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
sigmahigh
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
sigmahigh
Linux Impair Defenses Process Kill
splunk_escu
Load Of RstrtMgr.DLL By A Suspicious Process
sigmahigh
Load Of RstrtMgr.DLL By An Uncommon Process
sigmalow
Logging Configuration Changes on Linux Host
sigmahigh
M365 Copilot Agentic Jailbreak Attack
splunk_escu
M365 Copilot Impersonation Jailbreak Attack
splunk_escu
M365 Copilot Information Extraction Jailbreak Attack
splunk_escu
M365 Copilot Jailbreak Attempts
splunk_escu
M365 Copilot Non Compliant Devices Accessing M365 Copilot
splunk_escu
Microsoft Defender Tamper Protection Trigger
sigmahigh
Microsoft Intune DeviceManagementConfigurationPolicies
splunk_escu
Microsoft Malware Protection Engine Crash
sigmahigh
Microsoft Malware Protection Engine Crash - WER
sigmahigh
Microsoft Office Protected View Disabled
sigmahigh
NetNTLM Downgrade Attack
sigmahigh
NetNTLM Downgrade Attack - Registry
sigmahigh
O365 Block User Consent For Risky Apps Disabled
splunk_escu
Obfuscated PowerShell OneLiner Execution
sigmahigh
Okta User Session Start Via An Anonymising Proxy Service
sigmahigh
Potential AMSI Bypass Script Using NULL Bits
sigmamedium
Potential AMSI Bypass Using NULL Bits
sigmamedium
Potential AMSI Bypass Via .NET Reflection
sigmahigh
Potential AMSI COM Server Hijacking
sigmahigh
Potential Privileged System Service Operation - SeLoadDriverPrivilege
sigmamedium
Potential Suspicious Activity Using SeCEdit
sigmamedium
Potential Tampering With Security Products Via WMIC
sigmahigh
Potential Windows Defender Tampering Via Wmic.EXE
sigmahigh
Powershell Base64 Encoded MpPreference Cmdlet
sigmahigh
Powershell Defender Disable Scan Feature
sigmahigh
Powershell Defender Exclusion
sigmamedium
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
sigmahigh
Powershell Disable Security Monitoring
splunk_escu
Powershell Remove Windows Defender Directory
splunk_escu
Powershell Windows Defender Exclusion Commands
splunk_escu
PPL Tampering Via WerFaultSecure
sigmahigh
Process Kill Base On File Path
splunk_escu
PUA - CleanWipe Execution
sigmahigh
Python Function Execution Security Warning Disabled In Excel
sigmahigh
Python Function Execution Security Warning Disabled In Excel - Registry
sigmahigh
Raccine Uninstall
sigmahigh
Reg Add Suspicious Paths
sigmahigh
Removal Of AMSI Provider Registry Keys
sigmahigh
Removal Of Index Value to Hide Schedule Task - Registry
sigmamedium
Removal Of SD Value to Hide Schedule Task - Registry
sigmamedium
SafeBoot Registry Key Deleted Via Reg.EXE
sigmahigh
Scripted Diagnostics Turn Off Check Enabled - Registry
sigmamedium
Security Service Disabled Via Reg.EXE
sigmahigh
Service Registry Key Deleted Via Reg.EXE
sigmahigh
Service Startup Type Change Via Wmic.EXE
sigmamedium
Service StartupType Change Via PowerShell Set-Service
sigmamedium
Service StartupType Change Via Sc.EXE
sigmamedium
Suspicious Application Allowed Through Exploit Guard
sigmahigh
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
sigmahigh
Suspicious Path In Keyboard Layout IME File Registry Value
sigmahigh
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
sigmahigh
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
sigmahigh
Suspicious PROCEXP152.sys File Created In TMP
sigmamedium
Suspicious Service Installed
sigmamedium
Suspicious Uninstall of Windows Defender Feature via PowerShell
sigmahigh
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
sigmamedium
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
sigmahigh
Suspicious Windows Service Tampering
sigmahigh
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
sigmahigh
Sysinternals PsSuspend Suspicious Execution
sigmahigh
Sysmon Application Crashed
sigmahigh
Sysmon Configuration Update
sigmamedium
Sysmon Driver Altitude Change
sigmahigh
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
Tamper Windows Defender - PSClassic
sigmahigh
Tamper Windows Defender - ScriptBlockLogging
sigmahigh
Tamper Windows Defender Remove-MpPreference
sigmahigh
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
sigmahigh
Tamper With Sophos AV Registry Keys
sigmahigh
Taskkill Symantec Endpoint Protection
sigmahigh
Terminate Linux Process Via Kill
sigmamedium
Uncommon Extension In Keyboard Layout IME File Registry Value
sigmahigh
Uninstall Crowdstrike Falcon Sensor
sigmahigh
Uninstall Sysinternals Sysmon
sigmahigh
Unload Sysmon Filter Driver
splunk_escu
Unloading AMSI via Reflection
splunk_escu
Vulnerable Driver Blocklist Registry Tampering Via CommandLine
sigmahigh
WDAC Policy File Creation In CodeIntegrity Folder
sigmamedium
Weak Encryption Enabled and Kerberoast
sigmahigh
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
sigmamedium
WFP Filter Added via Registry
sigmamedium
Win Defender Restored Quarantine File
sigmahigh
Windows AD Domain Controller Audit Policy Disabled
splunk_escu
Windows AD GPO Deleted
splunk_escu
Windows AD GPO Disabled
splunk_escu
Windows AMSI Related Registry Tampering Via CommandLine
sigmahigh
Windows Attempt To Stop Security Service
splunk_escu
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
splunk_escu
Windows Cisco Secure Endpoint Unblock File Via Sfc
splunk_escu