In February 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about threat actors linked to Volt Typhoon — a Chinese state-sponsored group that had been living inside U.S. critical infrastructure networks for years. One of their signature moves? They removed legitimate security tools and logging mechanisms from compromised systems to erase their footprints. Not malware deployment. Not zero-day exploits. They simply uninstalled the software designed to catch them.

This tactic is more common than most defenders realize, and it's reshaping how organizations need to think about endpoint protection, monitoring, and security awareness. If your security strategy assumes your tools will always be there to protect you, this post is your wake-up call.

Why Attackers Removed Legitimate Security Software

Here's the logic from the attacker's perspective: why build custom malware to evade a detection tool when you can just uninstall the detection tool?

In the Volt Typhoon campaigns documented by CISA and Microsoft, the attackers removed legitimate logging utilities, disabled Windows Defender, and deleted event logs — all using built-in administrative commands. They used wevtutil to clear logs and PowerShell to disable security services. No fancy exploit kit required.

This is the evolution of "living off the land" tactics. Instead of bringing malicious tools into an environment, threat actors use — and abuse — what's already there. And when a tool gets in their way, they remove it. The 2024 Verizon Data Breach Investigations Report found that system intrusion actions increasingly involve tampering with defenses, not just bypassing them.

The Playbook: How Threat Actors Disable Your Defenses

Uninstalling Endpoint Detection and Response (EDR)

In multiple ransomware incidents I've analyzed, the attacker's first move after gaining administrative access was to uninstall or disable the EDR agent. Groups like BlackCat/ALPHV and LockBit have been documented using tools like "EDRKillShifter" and abusing legitimate driver vulnerabilities (Bring Your Own Vulnerable Driver attacks) to terminate security processes.

Once they removed legitimate EDR software, they had an open runway. No alerts. No telemetry. No forensic trail. The security operations center saw nothing because the thing generating signals was gone.

Clearing Event Logs and Audit Trails

Windows Event Logs are often the first thing incident responders check. Attackers know this. Volt Typhoon systematically cleared security, system, and application logs on compromised machines. The commands are trivially simple:

  • wevtutil cl Security
  • wevtutil cl System
  • wevtutil cl Application

When responders arrived, the logs that should have told the story were blank. The attackers had removed legitimate forensic evidence as deliberately as they'd removed legitimate security tools.

Disabling Built-in Security Features

Windows Defender, built-in firewall rules, and tamper protection settings are common targets. Attackers use Group Policy modifications, registry edits, or direct PowerShell commands to disable real-time protection. In one documented case, the Medusa ransomware group used a malicious driver to kill antivirus processes across an entire domain — after they'd already removed legitimate AV management consoles from key servers.

What Does It Look Like When Security Tools Disappear?

This is the question security teams should be asking in every tabletop exercise: how would we know if our tools stopped reporting?

The honest answer for many organizations is: we wouldn't. Not quickly enough, anyway.

Most security operations centers monitor alerts. They watch for spikes in detections. But a sudden absence of telemetry — a machine that stops sending logs, an EDR agent that goes silent — often doesn't trigger the same urgency. The dashboard shows green because nothing bad is being reported. But nothing is being reported because the reporter was killed.

I've seen environments where an endpoint went dark for 72 hours before anyone noticed. That's 72 hours of unmonitored access for the attacker. In ransomware timelines, that's enough to exfiltrate data, establish persistence across the domain, and stage the encryption payload.

The $4.88M Reason You Need to Detect Tool Tampering

IBM's 2024 Cost of a Data Breach Report pegged the global average cost at $4.88 million — the highest ever recorded. Breaches involving destructive attacks or where attackers had extended dwell time were significantly more expensive.

When attackers removed legitimate defenses and operated undetected for weeks or months, the cost multiplied. The Volt Typhoon campaign is a worst-case example: threat actors maintained access to critical infrastructure for potentially years, with the intent to pre-position for disruptive attacks.

Your organization doesn't need to be a utility company to face this tactic. Ransomware crews hitting mid-market businesses use the same playbook. They gain access through credential theft or social engineering, escalate privileges, disable security tools, and deploy ransomware — often in under 48 hours.

How to Detect When Someone Removed Legitimate Tools

Here's the practical guidance. These are the controls that actually catch this behavior.

1. Monitor for Agent Heartbeat Failures

Every EDR and antivirus platform has a heartbeat — a periodic check-in with a management console. Configure alerts for when any endpoint misses two or more consecutive heartbeats. Treat a silent endpoint as a high-priority investigation, not a maintenance ticket.

2. Ship Logs Off-Box Immediately

If logs only exist on the local machine, the attacker controls them. Forward security logs to a centralized SIEM or log aggregation platform in real time. CISA's Volt Typhoon advisory specifically recommended centralized logging as a key mitigation.

3. Use Tamper Protection — and Monitor Its Status

Windows Defender and most enterprise EDR solutions offer tamper protection features that prevent unauthorized uninstallation or disabling. Turn them on. Then monitor for attempts to disable them. An attempt to turn off tamper protection is, by itself, a high-fidelity indicator of compromise.

4. Alert on Security Software Uninstallation Events

Windows generates specific event log entries when software is uninstalled. Create detection rules for the removal of your security tooling. If someone removed legitimate AV or EDR software outside a change management window, your SOC should know within minutes.

5. Implement Zero Trust Architecture

Zero trust assumes no user or device is inherently trusted, even inside the network. This limits the blast radius when an attacker does compromise a system. If every access request requires verification, removing security tools from one machine doesn't give the attacker a free pass across your environment. NIST SP 800-207 provides the foundational framework for implementing zero trust.

6. Restrict Administrative Privileges Aggressively

Attackers can only uninstall security tools if they have admin rights. Most of these attacks begin with credential theft — a phishing email that captures domain admin credentials, or a social engineering call that tricks a helpdesk employee into resetting a password. The fewer accounts with local admin or domain admin privileges, the harder this attack becomes.

The Human Layer: Where Most of These Attacks Start

Let's trace the kill chain backward. The attacker removed legitimate security tools. Before that, they escalated to admin privileges. Before that, they moved laterally. Before that, they established initial access. And that initial access? In the vast majority of cases, it started with a person.

The 2024 Verizon DBIR found that 68% of breaches involved a human element — phishing, social engineering, credential misuse, or simple errors. The sophisticated endgame of disabling EDR tools begins with an unsophisticated phishing email that someone clicked.

This is why cybersecurity awareness training for your entire organization isn't optional — it's the first control in the chain. Your people need to recognize phishing attempts, suspicious requests, and social engineering tactics before an attacker ever reaches the point where they can tamper with your tools.

And generic annual training doesn't cut it. You need ongoing phishing awareness training with realistic simulations that test your employees against the actual tactics threat actors use today. Phishing simulation programs measurably reduce click rates over time. That directly reduces the probability that an attacker gets the initial foothold they need to start disabling your defenses.

What Is Tool Tampering and Why Should Defenders Prioritize It?

Tool tampering is the deliberate disabling, uninstalling, or modification of legitimate security software by an attacker who has gained privileged access to a system. Defenders should prioritize detecting it because it represents a late-stage indicator of compromise — by the time an attacker is removing your security tools, they already have significant access and are preparing for their final objective, whether that's data exfiltration, ransomware deployment, or persistent espionage. Detecting tool tampering quickly is often the last chance to stop an attack before maximum damage occurs.

Building a Detection Strategy That Assumes Failure

The uncomfortable truth: every security tool can be bypassed or removed given sufficient access. Your architecture needs to assume this.

Layer your defenses so that no single tool's removal creates a blind spot. If your EDR goes down, your network detection should still see lateral movement. If local logs get cleared, your centralized SIEM should have copies. If one admin account gets compromised, multi-factor authentication and privileged access management should limit how far the attacker can go.

Run adversary simulation exercises where the red team's explicit objective is to disable security tooling. Measure how long it takes your blue team to detect the absence. If the answer is "they didn't," you've found your most critical gap.

Practical Checklist for This Week

  • Audit tamper protection settings on every endpoint. Confirm they're enabled and enforced via policy.
  • Create heartbeat alerts for your EDR and AV platforms. Set thresholds at two missed check-ins.
  • Review admin account inventory. Disable or downgrade any account with unnecessary privileges.
  • Verify centralized logging is capturing security events from all critical systems.
  • Schedule a phishing simulation targeting credential harvesting scenarios — the most common entry point for these attacks.
  • Brief your SOC on tool tampering as a tactic. Make sure analysts understand that silence from an endpoint is not the same as safety.

The Attacker's Advantage Is Your Complacency

Threat actors who removed legitimate security software from their targets didn't use magic. They used admin credentials they stole through phishing. They used built-in operating system commands. They exploited the fact that most organizations monitor for malicious additions to their environment but not malicious subtractions.

Your security stack is only as strong as your ability to detect when it's being dismantled. That means technical controls like heartbeat monitoring, centralized logging, and tamper protection. It means architectural decisions like zero trust and least privilege. And it means investing in the human layer — because the chain that ends with an attacker uninstalling your EDR almost always starts with a phishing email that someone fell for.

Start with your people. Equip them with practical security awareness training and test them regularly with phishing simulations that mirror real-world attacks. Then harden the technical controls that protect your tools from tampering. Because in 2024, the attacker's most powerful move isn't deploying malware — it's removing the software you trusted to stop them.