Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.[1]

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

ID: T1562
Tactic: Defense Evasion
Platforms: Containers, IaaS, Linux, Network, Office 365, Windows, macOS
Defense Bypassed: Anti-virus, Digital Certificate Validation, File monitoring, Firewall, Host forensic analysis, Host intrusion prevention systems, Log analysis, Signature-based detection
Version: 1.5
Created: 21 February 2020
Last Modified: 20 October 2023

Procedure Examples

ID Name Description
G0059 Magic Hound

Magic Hound has disabled LSA protection on compromised hosts using "reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f.[2]

S0603 Stuxnet

Stuxnet reduces the integrity level of objects to allow write actions.[3]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.

M1038 Execution Prevention

Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.

M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

M1054 Software Configuration

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.[4]

M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

Detection

ID Data Source Data Component Detects
DS0025 Cloud Service Cloud Service Disable

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[5] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[6] In Azure, monitor for az monitor diagnostic-settings delete.[7] Additionally, a sudden loss of a log source may indicate that it has been disabled.

Cloud Service Modification

Monitor changes made to cloud services for unexpected modifications to settings and/or data.

DS0017 Command Command Execution

Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

DS0027 Driver Driver Load

Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.

DS0022 File File Deletion

Monitor for missing log files hosts and services with known active periods.

File Modification

Monitor changes made to configuration files that contain settings for logging and defensive tools.

DS0018 Firewall Firewall Disable

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

Firewall Rule Modification

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

DS0009 Process OS API Execution

Monitor for the abnormal execution of API functions associated with system logging.

Process Creation

Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

Process Modification

Using another process or third-party tools, monitor for modifications or access to system processes associated with logging.

Process Termination

Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

DS0013 Sensor Health Host Status

Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious.

DS0019 Service Service Metadata

Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

DS0002 User Account User Account Modification

Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[8]

DS0024 Windows Registry Windows Registry Key Deletion

Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

Windows Registry Key Modification

Monitor Registry edits for modifications to services and startup programs that correspond to security tools.

References