Esc

Disable or Modify Tools - T1562.001

(ATT&CK® Technique)

Definition

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1562001["Disable or Modify Tools"] --> |disables| OperatingSystemProcess["Operating System Process"]; class T1562001 OffensiveTechniqueNode;
        class OperatingSystemProcess ArtifactNode; click OperatingSystemProcess href "/dao/artifact/d3f:OperatingSystemProcess";
        click T1562001 href "/offensive-technique/attack/T1562.001/"; click OperatingSystemProcess href "/dao/artifact/d3f:OperatingSystemProcess";             ProcessTermination["Process Termination"] -->
          | terminates | OperatingSystemProcess["Operating System Process"];

          ProcessTermination["Process Termination"] -.->
            | May Evict | T1562001["Disable or Modify Tools"] ;
          class ProcessTermination DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
          | suspends | OperatingSystemProcess["Operating System Process"];

          ProcessSuspension["Process Suspension"] -.->
            | May Evict | T1562001["Disable or Modify Tools"] ;
          class ProcessSuspension DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
          | terminates | OperatingSystemProcess["Operating System Process"];

          HostShutdown["Host Shutdown"] -.->
            | May Evict | T1562001["Disable or Modify Tools"] ;
          class HostShutdown DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click HostShutdown href "/technique/d3f:HostShutdown"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | isolates | OperatingSystemProcess["Operating System Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | May Isolate | T1562001["Disable or Modify Tools"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation";                                                     ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
          | analyzes | OperatingSystemProcess["Operating System Process"];

          ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
            | May Detect | T1562001["Disable or Modify Tools"] ;
          class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection";            ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | OperatingSystemProcess["Operating System Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | May Detect | T1562001["Disable or Modify Tools"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";                SystemDaemonMonitoring["System Daemon Monitoring"] -->
          | monitors | OperatingSystemProcess["Operating System Process"];

          SystemDaemonMonitoring["System Daemon Monitoring"] -.->
            | May Detect | T1562001["Disable or Modify Tools"] ;
          class SystemDaemonMonitoring DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click SystemDaemonMonitoring href "/technique/d3f:SystemDaemonMonitoring";              MandatoryAccessControl["Mandatory Access Control"] -->
          | isolates | OperatingSystemProcess["Operating System Process"];

          MandatoryAccessControl["Mandatory Access Control"] -.->
            | May Isolate | T1562001["Disable or Modify Tools"] ;
          class MandatoryAccessControl DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; HostReboot["Host Reboot"] -->
          | terminates | OperatingSystemProcess["Operating System Process"];

          HostReboot["Host Reboot"] -.->
            | May Evict | T1562001["Disable or Modify Tools"] ;
          class HostReboot DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click HostReboot href "/technique/d3f:HostReboot";                           ProcessLineageAnalysis["Process Lineage Analysis"] -->
          | analyzes | OperatingSystemProcess["Operating System Process"];

          ProcessLineageAnalysis["Process Lineage Analysis"] -.->
            | May Detect | T1562001["Disable or Modify Tools"] ;
          class ProcessLineageAnalysis DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis";

json