Adversaries who successfully compromise a system may attempt to maintain persistence by "closing the door" behind them – in other words, by preventing other threat actors from initially accessing or maintaining a foothold on the same system.
For example, adversaries may patch a vulnerable, compromised system[1][2] to prevent other threat actors from leveraging that vulnerability in the future. They may "close the door" in other ways, such as disabling vulnerable services[3], stripping privileges from accounts[4], or removing other malware already on the compromised device.[5]
Hindering other threat actors may allow an adversary to maintain sole access to a compromised system or network. This prevents the threat actor from needing to compete with or even being removed themselves by other threat actors. It also reduces the "noise" in the environment, lowering the possibility of being caught and evicted by defenders. Finally, in the case of Resource Hijacking, leveraging a compromised device’s full power allows the threat actor to maximize profit.[3]
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may be used to modify the compromised system by, for example, self-patching[1] or disabling vulnerable services[3] in an attempt to limit subsequent exploitation of the system by additional unrelated threat actors. |
| DS0009 | Process | Process Termination |
Monitor for the termination of processes or disabling of vulnerable services[3] that may be an attempt to limit subsequent exploitation of the system by additional unrelated threat actors. |