Indicator Blocking

From enterprise
Jump to: navigation, search
Indicator Blocking
ID T1054
Tactic Defense Evasion
Platform Windows
Data Sources Sensor health and status, Process command-line parameters, Process monitoring
Defense Bypassed Anti-virus, Log analysis, Host intrusion prevention systems

An adversary may attempt to block indicators or events from leaving the host machine. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process or creating a host-based firewall rule to block traffic to a specific server.


Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data.

Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked.