Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.[1]
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
ID | Name | Description |
---|---|---|
G0059 | Magic Hound |
Magic Hound has disabled LSA protection on compromised hosts using |
S0603 | Stuxnet |
Stuxnet reduces the integrity level of objects to allow write actions.[3] |
ID | Mitigation | Description |
---|---|---|
M1047 | Audit |
Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings. |
M1038 | Execution Prevention |
Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
M1022 | Restrict File and Directory Permissions |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
M1024 | Restrict Registry Permissions |
Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
M1054 | Software Configuration |
Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.[4] |
M1018 | User Account Management |
Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0025 | Cloud Service | Cloud Service Disable |
Monitor logs for API calls to disable logging. In AWS, monitor for: |
Cloud Service Modification |
Monitor changes made to cloud services for unexpected modifications to settings and/or data. |
||
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
DS0027 | Driver | Driver Load |
Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. |
DS0022 | File | File Deletion |
Monitor for missing log files hosts and services with known active periods. |
File Modification |
Monitor changes made to configuration files that contain settings for logging and defensive tools. |
||
DS0018 | Firewall | Firewall Disable |
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
Firewall Rule Modification |
Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
||
DS0009 | Process | OS API Execution |
Monitor for the abnormal execution of API functions associated with system logging. |
Process Creation |
Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
||
Process Modification |
Using another process or third-party tools, monitor for modifications or access to system processes associated with logging. |
||
Process Termination |
Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
||
DS0012 | Script | Script Execution |
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
DS0013 | Sensor Health | Host Status |
Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious. |
DS0019 | Service | Service Metadata |
Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
DS0002 | User Account | User Account Modification |
Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the |
DS0024 | Windows Registry | Windows Registry Key Deletion |
Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
Windows Registry Key Modification |
Monitor Registry edits for modifications to services and startup programs that correspond to security tools. |