CAPEC-578: Disable Security Software
An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.
Last updated
Overview
CAPEC-578 (Disable Security Software) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The adversary must have the capability to interact with the configuration of the targeted system.
Resources required
- None: No specialized resources are required to execute this type of attack.
Consequences
What a successful CAPEC-578 attack can achieve.
Hide Activities
Affects: Availability
By disabling certain security tools, the adversary can hide malicious activity and avoid detection.
How to mitigate it
Defenses that reduce the risk of CAPEC-578.
- Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.
Terminology & mappings
Mapped taxonomies
- ATTACK: Modify Authentication Process: Multi-Factor Authentication (1556.006)
- ATTACK: Impair Defenses: Disable or Modify Tools (1562.001)
- ATTACK: Impair Defenses: Disable Windows Event Logging (1562.002)
- ATTACK: Impair Defenses: Disable or Modify System Firewall (1562.004)
- ATTACK: Impair Defenses: Disable or Modify Cloud Firewall (1562.007)
- ATTACK: Impair Defenses: Disable Cloud Logs (1562.008)
- ATTACK: Impair Defenses: Safe Mode Boot (1562.009)
Frequently asked questions
Common questions about CAPEC-578.
- What is CAPEC-578?
- An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.
- How do you prevent CAPEC-578?
- Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.
- What weaknesses does CAPEC-578 target?
- CAPEC-578 exploits 1 CWE weakness, including CWE-284 (Improper Access Control).
- How severe is CAPEC-578?
- MITRE rates CAPEC-578 as Medium severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-578
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.