Impair Defenses

Adversaries may maliciously modify a victim system in order hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

ID: T1562
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, User
Data Sources: API monitoring, Anti-virus, Authentication logs, Environment variable, File monitoring, Process command-line parameters, Process monitoring, Services, Windows Registry
Defense Bypassed: Anti-virus, Digital Certificate Validation, File monitoring, Firewall, Host forensic analysis, Host intrusion prevention systems, Log analysis, Signature-based detection
Version: 1.0
Created: 21 February 2020
Last Modified: 29 March 2020

Mitigations

Mitigation Description
Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

Detection

Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.

Monitor environment variables and APIs that can be leveraged to disable security measures.