Impair Defenses: Indicator Blocking

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting[1] or even disabling host-based sensors, such as Event Tracing for Windows (ETW)[2], by tampering settings that control the collection and flow of event telemetry.[3] These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.

For example, adversaries may modify the File value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.[4]

ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.

In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors [5].

ID: T1562.006
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Host intrusion prevention systems
Contributors: Lucas Heiligenstein; Rob Smith
Version: 1.3
Created: 19 March 2020
Last Modified: 18 September 2023

Procedure Examples

ID Name Description
S1063 Brute Ratel C4

Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI).[6][7]

S0377 Ebury

Ebury can hook logging functions so that nothing from the backdoor gets sent to the logging facility.[8]

S0697 HermeticWiper

HermeticWiper has the ability to set the HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled Registry key to 0 in order to disable crash dumps.[9][10][11]

S0579 Waterbear

Waterbear can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection.[12]

S1065 Woody RAT

Woody RAT has suppressed all error reporting by calling SetErrorMode with 0x8007 as a parameter.[13]

Mitigations

ID Mitigation Description
M1022 Restrict File and Directory Permissions

Ensure event tracers/forwarders [14], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.

M1054 Software Configuration

Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.

M1018 User Account Management

Ensure event tracers/forwarders [14], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.

Analytic 1 - Indicator Blocking - Driver Unloaded

fltmc_processes = filter processes where (exe = "fltmc.exe" AND command_line = "unload")

DS0013 Sensor Health Host Status

Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data. Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session. [3]

DS0024 Windows Registry Windows Registry Key Modification

To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME{PROVIDER_GUID}

References