Skip to content

Disable or Modify Tools

What: Disable or Modify Tools

Disable or Modify Tools is a technique categorized under the "Defense Evasion" tactic in the MITRE ATT&CK framework. This technique involves adversaries attempting to disable security tools or modify system utilities to evade detection and maintain persistence in a target environment. Security tools can include antivirus, intrusion detection systems, and firewalls, among others.

How: Methods of Disabling or Modifying Tools

  1. Disabling Services: Adversaries may stop or disable services associated with security tools through commands (service <name> stop on Linux, sc stop <name> on Windows) or by manipulating service configurations.

  2. Tampering with Executables: Modifying the executable files of security tools to render them ineffective. This could involve patching binaries to bypass specific checks or corrupting them to prevent their execution.

  3. Impairing Configuration Files: Altering configuration files of security applications to deactivate certain features, change rules, or exclude specific directories from scanning.

  4. Process Injection: Injecting malicious code into processes associated with security tools to alter their behavior from the inside.

  5. Registry Modifications (Windows): Changing registry values that control the behavior of security software can effectively disable protections without directly interacting with the software’s binaries.

  6. Polymorphic and Metamorphic Malware: Creating malware that changes its observable properties each time it propagates to avoid signature-based detection by modifying itself.

Where: Application Environments

This technique is applicable in various environments:

  • Desktops/Servers: On individual workstations or servers where local security tools are installed.
  • Network Level: Involving network-based security appliances and monitoring systems.
  • Cloud Infrastructure: Within cloud environments against cloud-native protection services like AWS GuardDuty, Azure Security Center, etc.

Why: Motivations Behind Disabling or Modifying Tools

The primary motivation for disabling or modifying tools is to evade detection and maintain presence within a target environment:

  • Evasion: To perform malicious activities without being detected by security monitoring tools.
  • Persistence: Ensuring their malicious payloads continue operating without interruption from protective measures.
  • Privilege Escalation: By disabling security measures, adversaries might gain more privileges than initially obtained at infiltration.

This approach helps attackers carry out further exploitation activities such as data exfiltration, lateral movement, and establishing backdoors while remaining unnoticed within the compromised system.