Standardlikelihood: Mediumseverity: MediumUsable
CAPEC-578Disable Security Software
Abstraction
Standard
Status
Usable
Likelihood
Medium
Severity
Medium
Description
An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.
Metadata: standard CAPEC pattern, status usable, likelihood medium, severity medium. Underlying weakness: CWE-284. Mapped ATT&CK techniques: [object Object], [object Object], [object Object], [object Object], [object Object] (and 2 more). Related CAPEC pattern: [object Object].
Related weaknesses· 1
MITRE ATT&CK crosswalk· 7
T1556.006: Modify Authentication Process: Multi-Factor AuthenticationT1562.001: Impair Defenses: Disable or Modify ToolsT1562.002: Impair Defenses: Disable Windows Event LoggingT1562.004: Impair Defenses: Disable or Modify System FirewallT1562.007: Impair Defenses: Disable or Modify Cloud FirewallT1562.008: Impair Defenses: Disable Cloud LogsT1562.009: Impair Defenses: Safe Mode Boot
Related attack patterns· 1
Exploits1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Improper Access Controlcwe-284 | 100% | live |
Related to7
| Type | Target | Confidence | Tier |
|---|---|---|---|
| SubTechnique | Disable or Modify Cloud Logst1562.008 | 100% | live |
| SubTechnique | Disable or Modify System Firewallt1562.004 | 100% | live |
| SubTechnique | Safe Mode Boott1562.009 | 100% | live |
| SubTechnique | Multi-Factor Authenticationt1556.006 | 100% | live |
| SubTechnique | Disable or Modify Toolst1562.001 | 100% | live |
| SubTechnique | Disable Windows Event Loggingt1562.002 | 100% | live |
| SubTechnique | Disable or Modify Cloud Firewallt1562.007 | 100% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.