Description
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.(Citation: SCADAfence_ransomware)
In addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).(Citation: Microsoft Lamin Sept 2017)(Citation: ETW Palantir)
More advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization’s ability to detect and respond to malicious activity.(Citation: Cocomazzi FIN7 Reboot)
Platforms
Sub-Techniques (6)
Disable or Modify Windows Event Log
T1685.002Disable or Modify Cloud Log
T1685.003Modify or Spoof Tool UI
T1685.004Disable or Modify Linux Audit System Log
T1685.005Clear Windows Event Logs
T1685.006Clear Linux or Mac System Logs
Mitigations (7)
User Account ManagementM1018
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security services.
AuditM1047
Periodically verify that tools are functioning appropriately – for example, that all expected hosts with EDRs or monitoring agents are checking in to the central console. Check EDRs to ensure that no unexpected exclusion paths have been added. In Microsoft Defender for Endpoint, exclusions can be reviewed with the Get-MpPreference cmdlet.(Citation: CodeX Microsoft Defender 2021)
Restrict File and Directory PermissionsM1022
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.
Disable or Remove Feature or ProgramM1042
Consider removing previous versions of tools that are unnecessary to the environment when possible.
Software ConfigurationM1054
Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.
Execution PreventionM1038
Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.
Restrict Registry PermissionsM1024
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security services.
Threat Groups (32)
| ID | Group | Context |
|---|---|---|
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has uninstalled and disabled security tools.(Citation: Mandiant UNC3944 May 2025) |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has been observed turning off Windows Security Center and can hide the AV software window from the vi... |
| G0078 | Gorgon Group | [Gorgon Group](https://attack.mitre.org/groups/G0078) malware can attempt to disable security features in Microsoft Office and Windows Defender using ... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has deployed a utility script named <code>kill.bat</code> to disable anti-virus.(Citation: FireEye FIN6 ... |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has disabled Windows Defender in compromised environments.(Citation: JPCERT MirrorFace JUL 2024) |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) used several mechanisms to try to disable security tools. [Agrius](https://attack.mitre.org/groups/G10... |
| G1023 | APT5 | [APT5](https://attack.mitre.org/groups/G1023) has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certai... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has attempted to disable built-in security protections such as Windows AMSI. (Citation: Proofpoint TA... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operat... |
| G0119 | Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) used [PsExec](https://attack.mitre.org/software/S0029) to leverage Windows Defender to disable ... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has convinced victims to disable Docker and other container environments and run code on... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has unhooked DLLs to disable endpoint detection and response (EDR) or anti-virus (AV) tools.(Citation: ... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) will modify registry entries and scheduled task objects associated with Windows Defender to disabl... |
| G0024 | Putter Panda | Malware used by [Putter Panda](https://attack.mitre.org/groups/G0024) attempts to terminate processes corresponding to two components of Sophos Anti-V... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has shut down or uninstalled security applications on victim systems that might prevent ransomw... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) developed a custom injector that enables an Event Tracing for Windows (ETW) bypass, making malicious pr... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has incorporated code into several tools that attempts to terminate anti-virus processes.(Citat... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows a... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) can disable the system's local proxy settings.(Citation: Trend Micro Muddy Water March 2021) |
Associated Software (87)
| ID | Name | Type | Context |
|---|---|---|---|
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Secur... |
| S1234 | SplatCloak | Malware | [SplatCloak](https://attack.mitre.org/software/S1234) has identified and disabled API callback features of Windows Defender and Kaspersky.(Citation: Z... |
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) has searched for the Activity Monitor process in the System Events process list and kills th... |
| S0576 | MegaCortex | Malware | [MegaCortex](https://attack.mitre.org/software/S0576) was used to kill endpoint security processes.(Citation: IBM MegaCortex) |
| S0201 | JPIN | Malware | [JPIN](https://attack.mitre.org/software/S0201) can lower security settings by changing Registry keys.(Citation: Microsoft PLATINUM April 2016) |
| S0638 | Babuk | Malware | [Babuk](https://attack.mitre.org/software/S0638) can stop anti-virus services on a compromised host.(Citation: Sogeti CERT ESEC Babuk March 2021) |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) can add an exception to Microsoft Defender that excludes the entire main drive from anti-ma... |
| S0697 | HermeticWiper | Malware | [HermeticWiper](https://attack.mitre.org/software/S0697) has the ability to set the `HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpE... |
| S0481 | Ragnar Locker | Malware | [Ragnar Locker](https://attack.mitre.org/software/S0481) has attempted to terminate/stop processes and services associated with endpoint security prod... |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection servi... |
| S0457 | Netwalker | Malware | [Netwalker](https://attack.mitre.org/software/S0457) can detect and terminate active security software-related processes on infected systems.(Citation... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) can disarm Windows Defender during the UAC process to evade detection.(Citation: Check Point War... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) loads a copy of NTDLL to evade hooks from security monitoring tools on this library.(Citation: Zsca... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) can disable security software and update services.(Citation: Splunk RedLine Stealer June 20... |
| S0249 | Gold Dragon | Malware | [Gold Dragon](https://attack.mitre.org/software/S0249) terminates anti-malware processes if they’re found running on the system.(Citation: McAfee Gold... |
| S0253 | RunningRAT | Malware | [RunningRAT](https://attack.mitre.org/software/S0253) kills antimalware running process.(Citation: McAfee Gold Dragon) |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) will terminate processes associated with several security software products if identified during e... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.(C... |
| S9039 | LazyWiper | Malware | [LazyWiper](https://attack.mitre.org/software/S9039) can disable Microsoft Windows Defender Real-Time Monitoring with the `Set-MpPreference` cmdlet.(C... |
| S0004 | TinyZBot | Malware | [TinyZBot](https://attack.mitre.org/software/S0004) can disable Avira anti-virus.(Citation: Cylance Cleaver) |
References
- Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025.
- Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018.
- Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved April 15, 2026.
- Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.
Frequently Asked Questions
What is T1685 (Disable or Modify Tools)?
T1685 is a MITRE ATT&CK technique named 'Disable or Modify Tools'. It belongs to the Defense Impairment tactic(s). Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensor...
How can T1685 be detected?
Detection of T1685 (Disable or Modify Tools) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1685?
There are 7 documented mitigations for T1685. Key mitigations include: User Account Management, Audit, Restrict File and Directory Permissions, Disable or Remove Feature or Program, Software Configuration.
Which threat groups use T1685?
Known threat groups using T1685 include: Scattered Spider, Kimsuky, Gorgon Group, FIN6, MirrorFace, Agrius, APT5, TA2541.