Configuration Tampering

Configuration tampering is a sophisticated sub-technique used during the Deepening Control phase to disable or weaken runtime protection services without having to terminate processes or uninstall security software. Attackers modify configuration files, registry settings, or command-line parameters that govern the behavior of security tools, effectively neutralizing their protective capabilities while keeping them running to avoid detection. This approach is particularly insidious because the protection services continue to operate in a compromised state, reporting normal operation while their actual defensive mechanisms have been disabled or bypassed. Attackers might alter detection thresholds, disable specific protection modules, redirect logging functions, or modify monitoring rules in critical security configurations. By manipulating these settings rather than stopping services outright, adversaries can maintain a lower profile while achieving the same objective of evading security controls, as many detection systems look for service termination but not configuration changes.