Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

ID: T1562
Tactic: Defense Evasion
Platforms: Containers, IaaS, Linux, Office 365, Windows, macOS
Permissions Required: Administrator, User
Data Sources: Cloud Service: Cloud Service Disable, Cloud Service: Cloud Service Modification, Command: Command Execution, Firewall: Firewall Disable, Firewall: Firewall Rule Modification, Process: Process Termination, Script: Script Execution, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Defense Bypassed: Anti-virus, Digital Certificate Validation, File monitoring, Firewall, Host forensic analysis, Host intrusion prevention systems, Log analysis, Signature-based detection
Version: 1.1
Created: 21 February 2020
Last Modified: 24 April 2021

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

Detection

Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious.

Monitor environment variables and APIs that can be leveraged to disable security measures.