T1562 Impair Defenses
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.12
| Item | Value |
|---|---|
| ID | T1562 |
| Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011, T1562.012, T1562.013 |
| Tactics | TA0005 |
| Platforms | Containers, ESXi, IaaS, Identity Provider, Linux, Network Devices, Office Suite, Windows, macOS |
| Version | 1.7 |
| Created | 21 February 2020 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1043 | BlackByte | BlackByte removed Kernel Notify Routines to bypass endpoint detection and response (EDR) products.7 |
| S1184 | BOLDMOVE | BOLDMOVE can modify proprietary Fortinet logs on victim machines.4 |
| S1206 | JumbledPath | JumbledPath can impair logging on all devices used along its connection path to compromised hosts.5 |
| G0059 | Magic Hound | Magic Hound has disabled LSA protection on compromised hosts using "reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f.8 |
| S0603 | Stuxnet | Stuxnet reduces the integrity level of objects to allow write actions.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings. Periodically verify that tools such as EDRs are functioning as expected. |
| M1042 | Disable or Remove Feature or Program | Consider removing previous versions of tools that are unnecessary to the environment when possible. |
| M1038 | Execution Prevention | Use application control where appropriate, especially regarding the execution of tools outside of the organization’s security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
| M1022 | Restrict File and Directory Permissions | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
| M1024 | Restrict Registry Permissions | Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
| M1054 | Software Configuration | Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.3 |
| M1018 | User Account Management | Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
References
-
Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. ↩
-
The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023. ↩
-
Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023. ↩
-
Scott Henderson, Cristiana Kittner, Sarah Hawley & Mark Lechtik, Google Cloud. (2023, January 19). Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475). Retrieved December 31, 2024. ↩
-
Cisco Talos. (2025, February 20). Weathering the storm: In the midst of a Typhoon. Retrieved February 24, 2025. ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. ↩
-
Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024. ↩
-
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. ↩