Esc
Impair Defenses - T1562
(ATT&CK® Technique)
Definition
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1562["Impair Defenses"] --> |accesses| LegacySystem["Legacy System"]; class T1562 OffensiveTechniqueNode;
class LegacySystem ArtifactNode; click LegacySystem href "/dao/artifact/d3f:LegacySystem";
click T1562 href "/offensive-technique/attack/T1562/"; click LegacySystem href "/dao/artifact/d3f:LegacySystem"; T1562["Impair Defenses"] --> |disables| OperatingSystemProcess["Operating System Process"]; class T1562 OffensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode; click OperatingSystemProcess href "/dao/artifact/d3f:OperatingSystemProcess";
click T1562 href "/offensive-technique/attack/T1562/"; click OperatingSystemProcess href "/dao/artifact/d3f:OperatingSystemProcess"; T1562["Impair Defenses"] --> |disables| EndpointSensor["Endpoint Sensor"]; class T1562 OffensiveTechniqueNode;
class EndpointSensor ArtifactNode; click EndpointSensor href "/dao/artifact/d3f:EndpointSensor";
click T1562 href "/offensive-technique/attack/T1562/"; click EndpointSensor href "/dao/artifact/d3f:EndpointSensor"; T1562["Impair Defenses"] --> |may-modify| ApplicationConfiguration["Application Configuration"]; class T1562 OffensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode; click ApplicationConfiguration href "/dao/artifact/d3f:ApplicationConfiguration";
click T1562 href "/offensive-technique/attack/T1562/"; click ApplicationConfiguration href "/dao/artifact/d3f:ApplicationConfiguration"; T1562["Impair Defenses"] --> |disables| SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"]; class T1562 OffensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord";
click T1562 href "/offensive-technique/attack/T1562/"; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord"; T1562["Impair Defenses"] --> |may-modify| OperatingSystemConfigurationComponent["Operating System Configuration Component"]; class T1562 OffensiveTechniqueNode;
class OperatingSystemConfigurationComponent ArtifactNode; click OperatingSystemConfigurationComponent href "/dao/artifact/d3f:OperatingSystemConfigurationComponent";
click T1562 href "/offensive-technique/attack/T1562/"; click OperatingSystemConfigurationComponent href "/dao/artifact/d3f:OperatingSystemConfigurationComponent"; T1562["Impair Defenses"] --> |may-modify| UserInitScript["User Init Script"]; class T1562 OffensiveTechniqueNode;
class UserInitScript ArtifactNode; click UserInitScript href "/dao/artifact/d3f:UserInitScript";
click T1562 href "/offensive-technique/attack/T1562/"; click UserInitScript href "/dao/artifact/d3f:UserInitScript"; T1562["Impair Defenses"] --> |may-modify| WindowsRegistryKey["Windows Registry Key"]; class T1562 OffensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode; click WindowsRegistryKey href "/dao/artifact/d3f:WindowsRegistryKey";
click T1562 href "/offensive-technique/attack/T1562/"; click WindowsRegistryKey href "/dao/artifact/d3f:WindowsRegistryKey"; T1562["Impair Defenses"] --> |modifies| ProcessEnvironmentVariable["Process Environment Variable"]; class T1562 OffensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode; click ProcessEnvironmentVariable href "/dao/artifact/d3f:ProcessEnvironmentVariable";
click T1562 href "/offensive-technique/attack/T1562/"; click ProcessEnvironmentVariable href "/dao/artifact/d3f:ProcessEnvironmentVariable"; T1562["Impair Defenses"] --> |modifies| SystemFirewallConfiguration["System Firewall Configuration"]; class T1562 OffensiveTechniqueNode;
class SystemFirewallConfiguration ArtifactNode; click SystemFirewallConfiguration href "/dao/artifact/d3f:SystemFirewallConfiguration";
click T1562 href "/offensive-technique/attack/T1562/"; click SystemFirewallConfiguration href "/dao/artifact/d3f:SystemFirewallConfiguration"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1562["Impair Defenses"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1562["Impair Defenses"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | UserInitScript["User Init Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1562["Impair Defenses"] ;
class DecoyFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | OperatingSystemProcess["Operating System Process"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1562["Impair Defenses"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | OperatingSystemProcess["Operating System Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1562["Impair Defenses"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; FileEviction["File Eviction"] -->
| deletes | UserInitScript["User Init Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1562["Impair Defenses"] ;
class FileEviction DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; RegistryKeyDeletion["Registry Key Deletion"] -->
| deletes | WindowsRegistryKey["Windows Registry Key"];
RegistryKeyDeletion["Registry Key Deletion"] -.->
| may-evict | T1562["Impair Defenses"] ;
class RegistryKeyDeletion DefensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode;
click RegistryKeyDeletion href "/technique/d3f:RegistryKeyDeletion"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | UserInitScript["User Init Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1562["Impair Defenses"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ProcessTermination["Process Termination"] -->
| terminates | OperatingSystemProcess["Operating System Process"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1562["Impair Defenses"] ;
class ProcessTermination DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | OperatingSystemProcess["Operating System Process"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1562["Impair Defenses"] ;
class ProcessSuspension DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | OperatingSystemProcess["Operating System Process"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1562["Impair Defenses"] ;
class HostShutdown DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ApplicationConfigurationHardening["Application Configuration Hardening"] -->
| hardens | ProcessEnvironmentVariable["Process Environment Variable"];
ApplicationConfigurationHardening["Application Configuration Hardening"] -.->
| may-harden | T1562["Impair Defenses"] ;
class ApplicationConfigurationHardening DefensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode;
click ApplicationConfigurationHardening href "/technique/d3f:ApplicationConfigurationHardening"; ApplicationConfigurationHardening["Application Configuration Hardening"] -->
| hardens | ApplicationConfiguration["Application Configuration"];
class ApplicationConfigurationHardening DefensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode;
click ApplicationConfigurationHardening href "/technique/d3f:ApplicationConfigurationHardening"; FileEncryption["File Encryption"] -->
| encrypts | UserInitScript["User Init Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1562["Impair Defenses"] ;
class FileEncryption DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1562["Impair Defenses"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | OperatingSystemProcess["Operating System Process"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1562["Impair Defenses"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | OperatingSystemProcess["Operating System Process"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1562["Impair Defenses"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | UserInitScript["User Init Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1562["Impair Defenses"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | OperatingSystemProcess["Operating System Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1562["Impair Defenses"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; LocalFilePermissions["Local File Permissions"] -->
| restricts | UserInitScript["User Init Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1562["Impair Defenses"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallFiltering["System Call Filtering"] -->
| isolates | OperatingSystemProcess["Operating System Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1562["Impair Defenses"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1562["Impair Defenses"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | WindowsRegistryKey["Windows Registry Key"];
class RestoreConfiguration DefensiveTechniqueNode;
class WindowsRegistryKey ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | ApplicationConfiguration["Application Configuration"];
class RestoreConfiguration DefensiveTechniqueNode;
class ApplicationConfiguration ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | ProcessEnvironmentVariable["Process Environment Variable"];
class RestoreConfiguration DefensiveTechniqueNode;
class ProcessEnvironmentVariable ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] -->
| restores | UserInitScript["User Init Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1562["Impair Defenses"] ;
class RestoreFile DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemFirewallConfiguration["System Firewall Configuration"];
class RestoreConfiguration DefensiveTechniqueNode;
class SystemFirewallConfiguration ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] -->
| restores | OperatingSystemConfigurationComponent["Operating System Configuration Component"];
class RestoreConfiguration DefensiveTechniqueNode;
class OperatingSystemConfigurationComponent ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] -->
| analyzes | UserInitScript["User Init Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1562["Impair Defenses"] ;
class FileAnalysis DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemInitConfigAnalysis["System Init Config Analysis"] -->
| analyzes | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"];
SystemInitConfigAnalysis["System Init Config Analysis"] -.->
| may-detect | T1562["Impair Defenses"] ;
class SystemInitConfigAnalysis DefensiveTechniqueNode;
class SystemConfigurationInitDatabaseRecord ArtifactNode;
click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; SystemDaemonMonitoring["System Daemon Monitoring"] -->
| monitors | OperatingSystemProcess["Operating System Process"];
SystemDaemonMonitoring["System Daemon Monitoring"] -.->
| may-detect | T1562["Impair Defenses"] ;
class SystemDaemonMonitoring DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click SystemDaemonMonitoring href "/technique/d3f:SystemDaemonMonitoring"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | OperatingSystemProcess["Operating System Process"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1562["Impair Defenses"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | OperatingSystemProcess["Operating System Process"];
HostReboot["Host Reboot"] -.->
| may-evict | T1562["Impair Defenses"] ;
class HostReboot DefensiveTechniqueNode;
class OperatingSystemProcess ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | UserInitScript["User Init Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1562["Impair Defenses"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class UserInitScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";