A common best practice by adversaries is Disabling Security Tools (Mitre Att&ck T1089). There are multiple documented cases, including Agent Tesla, Brave Prince, DarkComet, and Gold Dragon, just to name a few. When your endpoint security software (AV, NGAV, EDR, PAM, etc.) is disabled, the adversary has free undetectable reign over your system, can easily ransom your data or exfiltrate it without your knowledge, and wipe every trace of what they did.
Relying solely on security software is insufficient against such attacks. Hardware integration is the only reliable mitigation.