Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
|M1022||Restrict File and Directory Permissions||
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|M1024||Restrict Registry Permissions||
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
|M1018||User Account Management||
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.
Monitor environment variables and APIs that can be leveraged to disable security measures.