T1562: Impair Defenses
| View on MITRE ATT&CK | T1562 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Emotet shutdown)
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
This blog post from Cisco Talos discusses ArcaneDoor, an espionage-focused campaign targeting perimeter network devices, which are crucial for ...
People's Republic of China-Linked Cyber Actors Hide in Router Firmware
This Cybersecurity Advisory from CISA and partners details activities of the People's Republic of China (PRC)-linked cyber actors known as ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities
This blog post gives a detailed analysis of two critical vulnerabilities (CVE-2024-1708 and CVE-2024-1709) affecting ConnectWise ScreenConnect ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Software Configuration
Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.Restrict Registry Permissions
Restrict the ability to modify certain hives or keys in the Windows Registry.How to detect this technique
MITRE ATT&CK Data Components
Firewall Rule Modification (Firewall)
Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs)Host Status (Sensor Health)
Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)Cloud Service Modification (Cloud Service)
Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)Cloud Service Disable (Cloud Service)
Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)Service Metadata (Service)
Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.Firewall Disable (Firewall)
Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs)Process Modification (Process)
Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)User Account Modification (User Account)
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)File Deletion (File)
Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)Script Execution (Script)
The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)Windows Registry Key Deletion (Windows Registry)
Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Driver Load (Driver)
Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6)Process Termination (Process)
Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)OS API Execution (Process)
Operating system function/method calls executed by a processControl Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Potential Suspicious Activity Using SeCEdit
AWS SecurityHub Findings Evasion
Azure Kubernetes Events Deleted
ETW Logging Disabled In .NET Processes - Sysmon Registry
Hide Schedule Task Via Index Value Tamper
Google Cloud Firewall Modified or Deleted
Removal Of Index Value to Hide Schedule Task - Registry
Sysmon Driver Unloaded Via Fltmc.EXE
Sysmon Application Crashed
ETW Logging Disabled In .NET Processes - Registry
Filter Driver Unloaded Via Fltmc.EXE
ETW Logging Disabled For rpcrt4.dll
Windows Filtering Platform Blocked Connection From EDR Agent Binary
HackTool - EDRSilencer Execution
Terminate Linux Process Via Kill
Write Protect For Storage Disabled
HackTool - EDRSilencer Execution - Filter Added
ETW Logging Tamper In .NET Processes
Removal Of SD Value to Hide Schedule Task - Registry
Windows Firewall Disabled via PowerShell
Windows Defender Exclusions Added - PowerShell
ETW Logging Disabled For SCM
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.