MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1562: Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

sap_suspicious_user_activity: PT-CR-240: SAPASABAP_GW_Audit_disabled: Gateway log is disabled
sap_suspicious_user_activity: PT-CR-247: SAPASABAP_GW_Security_audit_disabled: Gateway security logs are disabled

Detection

IDDS0022Data source and componentFile: File DeletionDescription

Monitor for missing log files hosts and services with known active periods.

IDDS0002Data source and componentUser Account: User Account ModificationDescription

Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.

IDDS0009Data source and componentProcess: Process TerminationDescription

Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

IDDS0013Data source and componentSensor Health: Host StatusDescription

Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious.

IDDS0025Data source and componentCloud Service: Cloud Service ModificationDescription

Monitor changes made to cloud services for unexpected modifications to settings and/or data.

IDDS0018Data source and componentFirewall: Firewall Rule ModificationDescription

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

IDDS0024Data source and componentWindows Registry: Windows Registry Key DeletionDescription

Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

IDDS0027Data source and componentDriver: Driver LoadDescription

Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

IDDS0019Data source and componentService: Service MetadataDescription

Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

IDDS0009Data source and componentProcess: Process ModificationDescription

Using another process or third-party tools, monitor for modifications or access to system processes associated with logging.

IDDS0025Data source and componentCloud Service: Cloud Service DisableDescription

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail. In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink. In Azure, monitor for az monitor diagnostic-settings delete. Additionally, a sudden loss of a log source may indicate that it has been disabled.

IDDS0018Data source and componentFirewall: Firewall DisableDescription

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for the abnormal execution of API functions associated with system logging.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor Registry edits for modifications to services and startup programs that correspond to security tools.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.

IDDS0022Data source and componentFile: File ModificationDescription

Monitor changes made to configuration files that contain settings for logging and defensive tools.

Mitigation

IDM1054NameSoftware ConfigurationDescription

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.

IDM1018NameUser Account ManagementDescription

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

IDM1038NameExecution PreventionDescription

Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.

IDM1022NameRestrict File and Directory PermissionsDescription

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

IDM1024NameRestrict Registry PermissionsDescription

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

IDM1047NameAuditDescription

Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.