Description

An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.

Mitigations

1

Consequences

Relationships

Related ATT&CK Techniques

7

T1556.006

Multi-Factor Authentication

Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts. Once adversaries have gained …

T1562.001

Disable or Modify Tools

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many …

T1562.002

Disable Windows Event Logging

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs …

T1562.004

Disable or Modify System Firewall

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the …

T1562.007

Disable or Modify Cloud Firewall

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. …

T1562.008

Disable or Modify Cloud Logs

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities …

T1562.009

Safe Mode Boot

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a …

Resources Required

1

CAPEC 578 Disable Security Software

Description

Mitigations

Ensure Proper Permissions Are In Place To Prevent Adversaries From Altering The Execution Status Of Security Tools.

Consequences

Security Scopes Affected

Potential Impacts

Relationships

Parent CAPECs

Related ATT&CK Techniques

Multi-Factor Authentication

Disable or Modify Tools

Disable Windows Event Logging

Disable or Modify System Firewall

Disable or Modify Cloud Firewall

Disable or Modify Cloud Logs

Safe Mode Boot

Resources Required

CAPEC 578 Disable Security Software

Description

Mitigations

Ensure Proper Permissions Are In Place To Prevent Adversaries From Altering The Execution Status Of Security Tools.

Consequences

Security Scopes Affected

Potential Impacts

Relationships

Parent CAPECs

Related ATT&CK Techniques

Multi-Factor Authentication

Disable or Modify Tools

Disable Windows Event Logging

Disable or Modify System Firewall

Disable or Modify Cloud Firewall

Disable or Modify Cloud Logs

Safe Mode Boot

Resources Required

Iscriviti alla newsletter