CAPEC-578: Disable Security Software
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.
前提条件
- The adversary must have the capability to interact with the configuration of the targeted system.
所需资源
- None: No specialized resources are required to execute this type of attack.
后果影响
影响范围: Availability
技术影响: Hide Activities
说明: By disabling certain security tools, the adversary can hide malicious activity and avoid detection.
缓解措施
Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1556.006 | Modify Authentication Process: Multi-Factor Authentication |
| ATTACK | 1562.001 | Impair Defenses: Disable or Modify Tools |
| ATTACK | 1562.002 | Impair Defenses: Disable Windows Event Logging |
| ATTACK | 1562.004 | Impair Defenses: Disable or Modify System Firewall |
| ATTACK | 1562.007 | Impair Defenses: Disable or Modify Cloud Firewall |
| ATTACK | 1562.008 | Impair Defenses: Disable Cloud Logs |
| ATTACK | 1562.009 | Impair Defenses: Safe Mode Boot |