{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/attack.t1489/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["attack.defense-evasion","attack.t1562","attack.impact","attack.t1489"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAttackers may attempt to stop or disable services on a compromised Linux system to impair security tools, disrupt operations, or facilitate further malicious activities. This can involve disabling security software, logging mechanisms, or other critical services that could hinder the attacker\u0026rsquo;s objectives. This activity often forms part of a broader attack campaign aimed at maintaining persistence, evading detection, or causing system-wide disruption. The commands \u003ccode\u003esystemctl\u003c/code\u003e, \u003ccode\u003eservice\u003c/code\u003e, and…\u003c/p\u003e\n","date_modified":"2024-01-09T14:30:00Z","date_published":"2024-01-09T14:30:00Z","id":"/briefs/2024-01-09-linux-service-disable/","summary":"Attackers may halt or disable security services on Linux systems to evade defenses, maintain persistence, or disrupt operations, detected through the use of utilities like 'systemctl', 'service', and 'chkconfig'.","title":"Linux Service Stop and Disable Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-09-linux-service-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.impact","attack.t1489"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are increasingly targeting scheduled tasks to disable critical system functions. This tactic involves using \u003ccode\u003eschtasks.exe\u003c/code\u003e to disable essential tasks related to security, backup, and update mechanisms. By disabling tasks like Windows Defender scans, System Restore points, BitLocker encryption, and Windows Update, adversaries can significantly weaken a system\u0026rsquo;s defenses, making it more vulnerable to data destruction or ransomware attacks. The observed behavior involves the execution of…\u003c/p\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-schtasks-disable/","summary":"Adversaries disable crucial scheduled tasks, such as those related to BitLocker, Windows Defender, System Restore and Windows Update, using schtasks.exe to disrupt services and potentially facilitate data destruction or ransomware deployment.","title":"Adversaries Disabling Important Scheduled Tasks","url":"https://feed.craftedsignal.io/briefs/2024-01-schtasks-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.impact","attack.t1489"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to delete scheduled tasks to disable security mechanisms or prevent system recovery, creating an environment conducive to data destruction. This involves using the \u003ccode\u003eschtasks.exe\u003c/code\u003e utility to remove scheduled tasks related to critical system functions. This activity is designed to impair incident response, prevent restoration of systems, and generally increase the impact of an attack. This is done by removing the scheduled tasks, which prevents the execution of security…\u003c/p\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-schtasks-deletion/","summary":"Adversaries delete critical scheduled tasks, such as those related to BitLocker, ExploitGuard, System Restore, Windows Defender, and Windows Update, to disrupt security measures and enable data destruction.","title":"Deletion of Critical Scheduled Tasks","url":"https://feed.craftedsignal.io/briefs/2024-01-03-schtasks-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Attack.t1489","version":"https://jsonfeed.org/version/1.1"}