T1562: Impair Defenses
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
sap_suspicious_user_activity: PT-CR-240: SAPASABAP_GW_Audit_disabled: Gateway log is disabled
sap_suspicious_user_activity: PT-CR-247: SAPASABAP_GW_Security_audit_disabled: Gateway security logs are disabled
Detection
ID | DS0022 | Data source and component | File: File Deletion | Description | Monitor for missing log files hosts and services with known active periods. |
---|
ID | DS0002 | Data source and component | User Account: User Account Modification | Description | Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the |
---|
ID | DS0009 | Data source and component | Process: Process Termination | Description | Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
---|
ID | DS0013 | Data source and component | Sensor Health: Host Status | Description | Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious. |
---|
ID | DS0025 | Data source and component | Cloud Service: Cloud Service Modification | Description | Monitor changes made to cloud services for unexpected modifications to settings and/or data. |
---|
ID | DS0018 | Data source and component | Firewall: Firewall Rule Modification | Description | Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Deletion | Description | Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
---|
ID | DS0027 | Data source and component | Driver: Driver Load | Description | Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. |
---|
ID | DS0012 | Data source and component | Script: Script Execution | Description | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
---|
ID | DS0019 | Data source and component | Service: Service Metadata | Description | Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
---|
ID | DS0009 | Data source and component | Process: Process Modification | Description | Using another process or third-party tools, monitor for modifications or access to system processes associated with logging. |
---|
ID | DS0025 | Data source and component | Cloud Service: Cloud Service Disable | Description | Monitor logs for API calls to disable logging. In AWS, monitor for: |
---|
ID | DS0018 | Data source and component | Firewall: Firewall Disable | Description | Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for the abnormal execution of API functions associated with system logging. |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor Registry edits for modifications to services and startup programs that correspond to security tools. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor changes made to configuration files that contain settings for logging and defensive tools. |
---|
Mitigation
ID | M1054 | Name | Software Configuration | Description | Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections. |
---|
ID | M1018 | Name | User Account Management | Description | Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
---|
ID | M1038 | Name | Execution Prevention | Description | Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
---|
ID | M1022 | Name | Restrict File and Directory Permissions | Description | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
---|
ID | M1024 | Name | Restrict Registry Permissions | Description | Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
---|
ID | M1047 | Name | Audit | Description | Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings. |
---|