Esc
Impair Defenses - T1562
(ATT&CK® Technique)
Definition
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1562["Impair Defenses"] --> |accesses| LegacySystem["Legacy System"]; class T1562 OffensiveTechniqueNode; class LegacySystem ArtifactNode; click LegacySystem href "/dao/artifact/d3f:LegacySystem"; click T1562 href "/offensive-technique/attack/T1562/"; click LegacySystem href "/dao/artifact/d3f:LegacySystem"; T1562["Impair Defenses"] --> |disables| OperatingSystemProcess["Operating System Process"]; class T1562 OffensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click OperatingSystemProcess href "/dao/artifact/d3f:OperatingSystemProcess"; click T1562 href "/offensive-technique/attack/T1562/"; click OperatingSystemProcess href "/dao/artifact/d3f:OperatingSystemProcess"; T1562["Impair Defenses"] --> |disables| EndpointSensor["Endpoint Sensor"]; class T1562 OffensiveTechniqueNode; class EndpointSensor ArtifactNode; click EndpointSensor href "/dao/artifact/d3f:EndpointSensor"; click T1562 href "/offensive-technique/attack/T1562/"; click EndpointSensor href "/dao/artifact/d3f:EndpointSensor"; T1562["Impair Defenses"] --> |may-modify| ApplicationConfiguration["Application Configuration"]; class T1562 OffensiveTechniqueNode; class ApplicationConfiguration ArtifactNode; click ApplicationConfiguration href "/dao/artifact/d3f:ApplicationConfiguration"; click T1562 href "/offensive-technique/attack/T1562/"; click ApplicationConfiguration href "/dao/artifact/d3f:ApplicationConfiguration"; T1562["Impair Defenses"] --> |modifies| ProcessEnvironmentVariable["Process Environment Variable"]; class T1562 OffensiveTechniqueNode; class ProcessEnvironmentVariable ArtifactNode; click ProcessEnvironmentVariable href "/dao/artifact/d3f:ProcessEnvironmentVariable"; click T1562 href "/offensive-technique/attack/T1562/"; click ProcessEnvironmentVariable href "/dao/artifact/d3f:ProcessEnvironmentVariable"; T1562["Impair Defenses"] --> |disables| SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"]; class T1562 OffensiveTechniqueNode; class SystemConfigurationInitDatabaseRecord ArtifactNode; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord"; click T1562 href "/offensive-technique/attack/T1562/"; click SystemConfigurationInitDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationInitDatabaseRecord"; T1562["Impair Defenses"] --> |may-modify| OperatingSystemConfigurationComponent["Operating System Configuration Component"]; class T1562 OffensiveTechniqueNode; class OperatingSystemConfigurationComponent ArtifactNode; click OperatingSystemConfigurationComponent href "/dao/artifact/d3f:OperatingSystemConfigurationComponent"; click T1562 href "/offensive-technique/attack/T1562/"; click OperatingSystemConfigurationComponent href "/dao/artifact/d3f:OperatingSystemConfigurationComponent"; T1562["Impair Defenses"] --> |may-modify| UserInitScript["User Init Script"]; class T1562 OffensiveTechniqueNode; class UserInitScript ArtifactNode; click UserInitScript href "/dao/artifact/d3f:UserInitScript"; click T1562 href "/offensive-technique/attack/T1562/"; click UserInitScript href "/dao/artifact/d3f:UserInitScript"; T1562["Impair Defenses"] --> |may-modify| WindowsRegistryKey["Windows Registry Key"]; class T1562 OffensiveTechniqueNode; class WindowsRegistryKey ArtifactNode; click WindowsRegistryKey href "/dao/artifact/d3f:WindowsRegistryKey"; click T1562 href "/offensive-technique/attack/T1562/"; click WindowsRegistryKey href "/dao/artifact/d3f:WindowsRegistryKey"; T1562["Impair Defenses"] --> |modifies| SystemFirewallConfiguration["System Firewall Configuration"]; class T1562 OffensiveTechniqueNode; class SystemFirewallConfiguration ArtifactNode; click SystemFirewallConfiguration href "/dao/artifact/d3f:SystemFirewallConfiguration"; click T1562 href "/offensive-technique/attack/T1562/"; click SystemFirewallConfiguration href "/dao/artifact/d3f:SystemFirewallConfiguration"; DecoyFile["Decoy File"] --> | spoofs | UserInitScript["User Init Script"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1562["Impair Defenses"] ; class DecoyFile DefensiveTechniqueNode; class UserInitScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | UserInitScript["User Init Script"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1562["Impair Defenses"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class UserInitScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | UserInitScript["User Init Script"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1562["Impair Defenses"] ; class DynamicAnalysis DefensiveTechniqueNode; class UserInitScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | OperatingSystemProcess["Operating System Process"]; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.-> | May Detect | T1562["Impair Defenses"] ; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | OperatingSystemProcess["Operating System Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1562["Impair Defenses"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | UserInitScript["User Init Script"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | May Detect | T1562["Impair Defenses"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class UserInitScript ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; RegistryKeyDeletion["Registry Key Deletion"] --> | deletes | WindowsRegistryKey["Windows Registry Key"]; RegistryKeyDeletion["Registry Key Deletion"] -.-> | May Evict | T1562["Impair Defenses"] ; class RegistryKeyDeletion DefensiveTechniqueNode; class WindowsRegistryKey ArtifactNode; click RegistryKeyDeletion href "/technique/d3f:RegistryKeyDeletion"; FileEviction["File Eviction"] --> | deletes | UserInitScript["User Init Script"]; FileEviction["File Eviction"] -.-> | May Evict | T1562["Impair Defenses"] ; class FileEviction DefensiveTechniqueNode; class UserInitScript ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; ProcessTermination["Process Termination"] --> | terminates | OperatingSystemProcess["Operating System Process"]; ProcessTermination["Process Termination"] -.-> | May Evict | T1562["Impair Defenses"] ; class ProcessTermination DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] --> | suspends | OperatingSystemProcess["Operating System Process"]; ProcessSuspension["Process Suspension"] -.-> | May Evict | T1562["Impair Defenses"] ; class ProcessSuspension DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] --> | terminates | OperatingSystemProcess["Operating System Process"]; HostShutdown["Host Shutdown"] -.-> | May Evict | T1562["Impair Defenses"] ; class HostShutdown DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click HostShutdown href "/technique/d3f:HostShutdown"; ApplicationConfigurationHardening["Application Configuration Hardening"] --> | hardens | ApplicationConfiguration["Application Configuration"]; ApplicationConfigurationHardening["Application Configuration Hardening"] -.-> | May Harden | T1562["Impair Defenses"] ; class ApplicationConfigurationHardening DefensiveTechniqueNode; class ApplicationConfiguration ArtifactNode; click ApplicationConfigurationHardening href "/technique/d3f:ApplicationConfigurationHardening"; ApplicationConfigurationHardening["Application Configuration Hardening"] --> | hardens | ProcessEnvironmentVariable["Process Environment Variable"]; class ApplicationConfigurationHardening DefensiveTechniqueNode; class ProcessEnvironmentVariable ArtifactNode; click ApplicationConfigurationHardening href "/technique/d3f:ApplicationConfigurationHardening"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | UserInitScript["User Init Script"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1562["Impair Defenses"] ; class ExecutableDenylisting DefensiveTechniqueNode; class UserInitScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | UserInitScript["User Init Script"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1562["Impair Defenses"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class UserInitScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | OperatingSystemProcess["Operating System Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1562["Impair Defenses"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; LocalFilePermissions["Local File Permissions"] --> | restricts | UserInitScript["User Init Script"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1562["Impair Defenses"] ; class LocalFilePermissions DefensiveTechniqueNode; class UserInitScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] --> | encrypts | UserInitScript["User Init Script"]; FileEncryption["File Encryption"] -.-> | May Harden | T1562["Impair Defenses"] ; class FileEncryption DefensiveTechniqueNode; class UserInitScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; RestoreConfiguration["Restore Configuration"] --> | restores | OperatingSystemConfigurationComponent["Operating System Configuration Component"]; RestoreConfiguration["Restore Configuration"] -.-> | May Restore | T1562["Impair Defenses"] ; class RestoreConfiguration DefensiveTechniqueNode; class OperatingSystemConfigurationComponent ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemFirewallConfiguration["System Firewall Configuration"]; class RestoreConfiguration DefensiveTechniqueNode; class SystemFirewallConfiguration ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"]; class RestoreConfiguration DefensiveTechniqueNode; class SystemConfigurationInitDatabaseRecord ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | WindowsRegistryKey["Windows Registry Key"]; class RestoreConfiguration DefensiveTechniqueNode; class WindowsRegistryKey ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreConfiguration["Restore Configuration"] --> | restores | ApplicationConfiguration["Application Configuration"]; class RestoreConfiguration DefensiveTechniqueNode; class ApplicationConfiguration ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; RestoreFile["Restore File"] --> | restores | UserInitScript["User Init Script"]; RestoreFile["Restore File"] -.-> | May Restore | T1562["Impair Defenses"] ; class RestoreFile DefensiveTechniqueNode; class UserInitScript ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] --> | restores | ProcessEnvironmentVariable["Process Environment Variable"]; class RestoreConfiguration DefensiveTechniqueNode; class ProcessEnvironmentVariable ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] --> | analyzes | UserInitScript["User Init Script"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1562["Impair Defenses"] ; class FileAnalysis DefensiveTechniqueNode; class UserInitScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemDaemonMonitoring["System Daemon Monitoring"] --> | monitors | OperatingSystemProcess["Operating System Process"]; SystemDaemonMonitoring["System Daemon Monitoring"] -.-> | May Detect | T1562["Impair Defenses"] ; class SystemDaemonMonitoring DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click SystemDaemonMonitoring href "/technique/d3f:SystemDaemonMonitoring"; SystemInitConfigAnalysis["System Init Config Analysis"] --> | analyzes | SystemConfigurationInitDatabaseRecord["System Configuration Init Database Record"]; SystemInitConfigAnalysis["System Init Config Analysis"] -.-> | May Detect | T1562["Impair Defenses"] ; class SystemInitConfigAnalysis DefensiveTechniqueNode; class SystemConfigurationInitDatabaseRecord ArtifactNode; click SystemInitConfigAnalysis href "/technique/d3f:SystemInitConfigAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | OperatingSystemProcess["Operating System Process"]; ProcessLineageAnalysis["Process Lineage Analysis"] -.-> | May Detect | T1562["Impair Defenses"] ; class ProcessLineageAnalysis DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] --> | terminates | OperatingSystemProcess["Operating System Process"]; HostReboot["Host Reboot"] -.-> | May Evict | T1562["Impair Defenses"] ; class HostReboot DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click HostReboot href "/technique/d3f:HostReboot"; MandatoryAccessControl["Mandatory Access Control"] --> | isolates | OperatingSystemProcess["Operating System Process"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1562["Impair Defenses"] ; class MandatoryAccessControl DefensiveTechniqueNode; class OperatingSystemProcess ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";