Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Indicator Blocking

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include modifying sensor settings stored in configuration files and/or Registry keys to disable or maliciously redirect event telemetry. [1]

In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

ID: T1054

Tactic: Defense Evasion

Platform:  Windows

Data Sources:  Sensor health and status, Process command-line parameters, Process monitoring

Defense Bypassed:  Anti-virus, Log analysis, Host intrusion prevention systems

CAPEC ID:  CAPEC-571

Version: 1.0

Mitigation

Ensure event tracers/forwarders [2], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.

Detection

Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.

Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked.

References