Esc
Disable or Modify Tools - T1562.001

(ATT&CK® Technique)
Definition

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1562001["Disable or Modify Tools"] --> |disables| OperatingSystemProcess["Operating System Process"]; class T1562001 OffensiveTechniqueNode;
        class OperatingSystemProcess ArtifactNode; click OperatingSystemProcess href "/dao/artifact/d3f:OperatingSystemProcess";
        click T1562001 href "/offensive-technique/attack/T1562.001/"; click OperatingSystemProcess href "/dao/artifact/d3f:OperatingSystemProcess";             ProcessSuspension["Process Suspension"] -->
          | suspends | OperatingSystemProcess["Operating System Process"];

          ProcessSuspension["Process Suspension"] -.->
            | may-evict | T1562001["Disable or Modify Tools"] ;
          class ProcessSuspension DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
          | terminates | OperatingSystemProcess["Operating System Process"];

          HostShutdown["Host Shutdown"] -.->
            | may-evict | T1562001["Disable or Modify Tools"] ;
          class HostShutdown DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
          | terminates | OperatingSystemProcess["Operating System Process"];

          ProcessTermination["Process Termination"] -.->
            | may-evict | T1562001["Disable or Modify Tools"] ;
          class ProcessTermination DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessTermination href "/technique/d3f:ProcessTermination";                                  ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
          | analyzes | OperatingSystemProcess["Operating System Process"];

          ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
            | may-detect | T1562001["Disable or Modify Tools"] ;
          class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | OperatingSystemProcess["Operating System Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | may-detect | T1562001["Disable or Modify Tools"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";                                 HostReboot["Host Reboot"] -->
          | terminates | OperatingSystemProcess["Operating System Process"];

          HostReboot["Host Reboot"] -.->
            | may-evict | T1562001["Disable or Modify Tools"] ;
          class HostReboot DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click HostReboot href "/technique/d3f:HostReboot";      SystemDaemonMonitoring["System Daemon Monitoring"] -->
          | monitors | OperatingSystemProcess["Operating System Process"];

          SystemDaemonMonitoring["System Daemon Monitoring"] -.->
            | may-detect | T1562001["Disable or Modify Tools"] ;
          class SystemDaemonMonitoring DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click SystemDaemonMonitoring href "/technique/d3f:SystemDaemonMonitoring";                ProcessLineageAnalysis["Process Lineage Analysis"] -->
          | analyzes | OperatingSystemProcess["Operating System Process"];

          ProcessLineageAnalysis["Process Lineage Analysis"] -.->
            | may-detect | T1562001["Disable or Modify Tools"] ;
          class ProcessLineageAnalysis DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis";                    Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | isolates | OperatingSystemProcess["Operating System Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | may-isolate | T1562001["Disable or Modify Tools"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
          | isolates | OperatingSystemProcess["Operating System Process"];

          Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
            | may-isolate | T1562001["Disable or Modify Tools"] ;
          class Kernel-basedProcessIsolation DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
          | isolates | OperatingSystemProcess["Operating System Process"];

          Application-basedProcessIsolation["Application-based Process Isolation"] -.->
            | may-isolate | T1562001["Disable or Modify Tools"] ;
          class Application-basedProcessIsolation DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation";                                        SystemCallFiltering["System Call Filtering"] -->
          | isolates | OperatingSystemProcess["Operating System Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1562001["Disable or Modify Tools"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class OperatingSystemProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";
json