Disable or Modify Tools

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.

Example:

A method that is great for evasion but very likely to get caught is to simply Disable the Tool for Detection in this sample I will disable Windows Defender to have our payloads safely stay in the target.

In the above image we can see that Defender is Enable. We can easily disable it with PowerShell

We can also use the GUI and defender it normally if we have an RDP session, there was a method to disable this through the Registry Keys but since of August 2020 this has been disabled and Windows Ignored this now

PreviousT1562: Impair Defenses NextDisable Windows Event Logging

Last updated 3 years ago