Disable Runtime Protection Service
Info
ID: AT-DC002
Tactic: Deepening Control
Sub-techniques: Bypassing Security Hooks, Configuration Tampering, Service Downgrade, Service Termination
Disable/Weaken Runtime Protection Service
Adversaries may attempt to degrade or fully disable protective mechanisms, including WAFs, RASP modules, and cloud monitoring agents. Tactics range from corrupting configuration files to forcibly terminating processes, exploiting vulnerabilities in the security agent itself, or downgrading version checks that block suspicious calls. By reducing the application’s protective layers, attackers can operate more freely and escalate subsequent activities.
Once runtime protection is weakened, other intrusion methods, such as injection or code execution, become far easier to execute without detection. If a cloud environment relies heavily on centralized security services or logging, severing these connections blinds defenders to ongoing malicious operations. This technique often appears mid-campaign, once attackers have enough privileges to interact with or reconfigure security infrastructure.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1040 | Behavior Prevention on Endpoint | Deploy Cloud Application Detection & Response (CADR) product that baseline per-application API behavior and automatically quarantine tokens or workloads generating high-volume or atypical enumeration sequences. |
| M1026 | Privileged Account Management | Restrict who can invoke systemctl stop, sc stop, or cloud-agent API calls; require MFA + break-glass approval for any change to security services. |
| M1050 | Exploit Protection | Enable kernel-level exploit guards to block memory tampering that disables hooks or patches security engines. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0009 | Process: Process Termination | Alert when a security service binary is the target of kill, Stop-Service, or equivalent APIs—especially by non-signed binaries or unexpected users. |
| DS0015 | Application Log | Ingest AV/EDR/WAF watchdog logs; flag crashes, watchdog resets, or self-protection violations correlated with privilege-escalation activity. |
| DS0022 | File: File Modification | Detect on-disk tampering of security-agent binaries/configs (hash change, unsigned DLL overwrite) and raise high-severity alerts. |