Configuration Tampering
Configuration tampering is a sophisticated sub-technique used during the Deepening Control phase to disable or weaken runtime protection services without having to terminate processes or uninstall security software. Attackers modify configuration files, registry settings, or command-line parameters that govern the behavior of security tools, effectively neutralizing their protective capabilities while keeping them running to avoid detection. This approach is particularly insidious because the protection services continue to operate in a compromised state, reporting normal operation while their actual defensive mechanisms have been disabled or bypassed. Attackers might alter detection thresholds, disable specific protection modules, redirect logging functions, or modify monitoring rules in critical security configurations. By manipulating these settings rather than stopping services outright, adversaries can maintain a lower profile while achieving the same objective of evading security controls, as many detection systems look for service termination but not configuration changes.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions | Make security‐agent config files read-only for non-privileged users and protect them with immutable attributes or cloud-policy enforcement. |
| M1036 | Account Use Policies | Require change-management workflow and code-review for any modification to production security configurations. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0022 | File: File Creation & Modification | Alert on changes to configuration files, or policy objects outside maintenance periods. |
| DS0015 | Application Log | Parse agent logs for "configuration reload" or checksum-mismatch messages and correlate with user identity & source host. |