MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools

Disable or Modify Tools is a defense evasion technique that adversaries use to interfere with security and monitoring tools. This technique involves disabling, modifying, or corrupting security software, forensic tools, or system utilities to prevent detection and response. By tampering with these tools, attackers can evade endpoint protection, avoid triggering alerts, and operate stealthily within a compromised environment. This technique is commonly observed in attack campaigns where attackers seek to maintain control over a system without being detected.

In this blog post, we explain the T1562.001 Disable or Modify Tools technique of the MITRE ATT&CK® framework and explore how adversaries employ Disable or Modify Tools with real-world attack examples in detail.

Download the Red Report - Top Ten MITRE ATT&CK Techniques

Adversary Use of Disable or Modify Tools

Adversaries seek to disable built-in and 3rd party security tools to execute malicious action undetected and unrestricted. In this section, we will examine procedure samples used against common security tools.

1. Disabling Windows Defender & AMSI

Windows Defender is a built-in security feature developed by Microsoft for Windows operating systems. The primary purpose of Windows Defender is to protect computers and devices running Windows from a wide range of security threats, including viruses, malware, spyware, and other malicious software. Since it is in the default configuration of many Windows systems, adversaries developed novel methods to disable the Windows Defender.

In May 2024, INC ransomware was reported to exploit a native Windows utility called SystemSettingsAdminFlows.exe and disable Windows Defender [1]. The commands below are used to change registry keys related to Windows Defender via a compromised user account.

SystemSettingsAdminFlows.exe Defender DisableEnhancedNotifications 1

SystemSettingsAdminFlows.exe Defender SubmitSamplesConsent 0

SystemSettingsAdminFlows.exe Defender SpynetReporting 0

SystemSettingsAdminFlows.exe Defender RTP 1

The result of these malicious actions can be tracked using Windows EID 5007. An example log is given below.

Windows Defender Antivirus Configuration has changed. If this is an unexpected event, you should review the settings, as this may be the result of malware.

Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = 0x2

New value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = 0x0

In another case, WhisperGate destructive malware added its path to Windows Defender's exclusion list using the command below [2]. This method allows adversaries to remove their malicious folders from scheduled scans, on-demand scans, and always-on, real-time protection and monitoring.

powershell Set-MpPreference -ExclusionPath C:\Temp

The exclusion list can be viewed under HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions registry hive [3].

Adversaries also utilize publicly available scripts to disable Windows Defender and Smartscreen. In March 2024, BlackCat ransomware group was reported to use a tool called ToggleDefender that leaves compromised systems to further exploitation [4].

Antimalware Scan Interface (AMSI) is another Microsoft technology designed to enhance the interaction between applications and antimalware products installed on a Windows system. AMSI was introduced with Windows 10, and it provides a standardized interface that enables software developers to request scans of content for potential malicious activity. AMSI allows applications to leverage the capabilities of installed antimalware engines, contributing to a more robust defense against various forms of malware. Adversaries disable AMSI to circumvent its advanced threat detection capabilities, allowing them to operate stealthily, execute malicious code, and maintain persistence within the compromised system.

In September 2024, adversaries were observed to use the following PowerShell script called amsi_patch.ps1 to disable AMSI. After disabling AMSI, threat actors deploy the K4Spreader malware, Tsunami backdoor, and XMRig cryptominer [5].

2. Disabling Antivirus Software

Organizations use antivirus software as a fundamental component of their cybersecurity strategy to mitigate the risks associated with cyber threats. As a foundational layer of defense, they are used to fortify the organization's security posture alongside other security measures. Adversaries seek to disable antivirus as a strategic maneuver to circumvent detection, execute sophisticated attacks, maintain persistence, and achieve their specific malicious goals within targeted environments.

In January 2024, Kasseika ransomware was reported to use known vulnerable drivers to leverage the Bring Your Own Vulnerable Driver (BYOVD) technique [6]. This technique allows adversaries to disable antivirus software using a signed driver called viragt64.sys. Once the adversaries gain access to the target, they deploy their malware and the vulnerable driver. Then, they scan for and terminate antivirus software in the compromised system using the commands below.

//Loading viragt64.sys

FileW = CreateFileW(L"\\\\.\\Viragtlt", 0xC0000000, 0, 0i64, 3u, 0x80u,

0i64,);

//Scanning active process in the compromised system

if(DeviceloControl(FileW, 0x82730030, v12, v11 + 1, OutBuffer, 0x64u,

BytesReturned, 0i64) )

v1 = 1;

//Terminating antivirus software

if(ZwOpenProcess(&ProcessHandle, 0x1F0FFFu, &ObjectAttributes, &ClientId)

>= 0 )

ZwTerminateProcess (ProcessHandle, 99);

3. Disabling Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) solutions continuously monitor and analyze endpoint activities in real time, collecting vast amounts of data related to processes, network connections, file interactions, and user behaviors. They are designed to detect and respond to cybersecurity incidents at the endpoint level, addressing threats that may have bypassed traditional security measures. Similar to other security tools, adversaries aim to disable EDRs to evade detection and execute their malicious actions with a reduced risk of being discovered.

In September 2024, RansomHub ransomware was reported to use a tool called EDRKillShifter to disable EDR and antivirus software [7]. EDRKillShifter works as a loader malware and provides a delivery mechanism for a legitimate yet vulnerable driver. When executed, EDRShiftKiller deploys known vulnerable drivers RentDrv2 and ThreatFireMonitor and kills EDR tools [8].

Ready to Simulate Real-World Threats From Red Report 2025?

References

[1] H. Carvey, "LOLBin to INC Ransomware." https://www.huntress.com/blog/lolbin-to-inc-ransomware

[2] "Website." Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

[3] J. Johnson, "You Can Run, but You Can't Hide: Defender Exclusions." Available: https://www.huntress.com/blog/you-can-run-but-you-cant-hide-defender-exclusions

[4] R. Jayapaul, "Resurgence of BlackCat Ransomware,". https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/resurgence-of-blackcat-ransomware

[5] J. Scion, "Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal," Sekoia.io Blog https://blog.sekoia.io/hadooken-and-k4spreader-the-8220-gangs-latest-arsenal

[6] "Kasseika Ransomware Deploys BYOVD Attacks Abuses PsExec and Exploits Martini Driver," Trend Micro. https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html

[7] "How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections," Trend Micro. https://www.trendmicro.com/en_us/research/24/i/how-ransomhub-ransomware-uses-edrkillshifter-to-disable-edr-and-.html

[8] A. Klopsch, "Ransomware attackers introduce new EDR killer to their arsenal," Sophos News, Aug. 14, 2024. https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/