Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Security tools may make dynamic changes to system components in order to maintain visibility into specific events.
Īdversaries may also tamper with artifacts deployed and utilized by security tools. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.
0 kommentar(er)
