MITRE ATT&CK Technique
Description
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-21T20:22:13.470Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may maliciously modify components of a victim '
'environment in order to hinder or disable defensive '
'mechanisms. This not only involves impairing preventative '
'defenses, such as firewalls and anti-virus, but also '
'detection capabilities that defenders can use to audit '
'activity and identify malicious behavior. This may also span '
'both native defenses as well as supplemental capabilities '
'installed by users and administrators.\n'
'\n'
'Adversaries may also impair routine operations that '
'contribute to defensive hygiene, such as blocking users from '
'logging out, preventing a system from shutting down, or '
'disabling or modifying the update process. Adversaries could '
'also target event aggregation and analysis mechanisms, or '
'otherwise disrupt these procedures by altering other system '
'components. These restrictions can further enable malicious '
'operations as well as the continued propagation of '
'incidents.(Citation: Google Cloud Mandiant UNC3886 '
'2024)(Citation: Emotet shutdown)\n'
'\n',
'external_references': [{'external_id': 'T1562',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562'},
{'description': ' Punsaen Boonyakarn, Shawn Chew, '
'Logeswaran Nadarajan, Mathew '
'Potaczek, Jakub Jozwiak, and Alex '
'Marvi. (2024, June 18). Cloaked and '
'Covert: Uncovering UNC3886 Espionage '
'Operations. Retrieved September 24, '
'2024.',
'source_name': 'Google Cloud Mandiant UNC3886 2024',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations'},
{'description': 'The DFIR Report. (2022, November 8). '
'Emotet Strikes Again – LNK File '
'Leads to Domain Wide Ransomware. '
'Retrieved March 6, 2023.',
'source_name': 'Emotet shutdown',
'url': 'https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/'}],
'id': 'attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:41.123Z',
'name': 'Impair Defenses',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jamie Williams (U ω U), PANW Unit 42',
'Liran Ravich, CardinalOps'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows',
'IaaS',
'Linux',
'macOS',
'Containers',
'Network Devices',
'Identity Provider',
'Office Suite',
'ESXi'],
'x_mitre_version': '1.7'}