T1562.006: Indicator Blocking

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.

For example, adversaries may modify the File value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.

ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.

In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors .

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

oracle_database: PT-CR-276: Oracle_Audit_Disable_via_drop_policy: Audit trail is disabled in Oracle DBMS due to deleted policy oracle_database: PT-CR-277: Oracle_Audit_Disable_via_noaudit: Audit trail is disabled in Oracle DBMS due to executed NOAUDIT command oracle_database: PT-CR-274: Oracle_Audit_Disable_for_sysdba: Audit trail for users with the SYSDBA privilege is disabled in Oracle DBMS oracle_database: PT-CR-273: Oracle_Audit_Disable: Audit trail is disabled in Oracle DBMS oracle_database: PT-CR-275: Oracle_Audit_Disable_via_disable_policy: Audit trail is disabled in Oracle DBMS due to disabled policy mitre_attck_defense_evasion: PT-CR-522: Audit_XP_Params_Change: Audit policy parameters are changed mitre_attck_defense_evasion: PT-CR-1368: Disable_Sysmon: Sysmon was updated or disabled mitre_attck_defense_evasion: PT-CR-458: Sysmon_Driver_Unload: A user unloaded the Sysmon driver mitre_attck_defense_evasion: PT-CR-2489: SysmonQuiet_Usage: The Sysmon process has been accessed, which may indicate that the SysmonQuiet module is active. SysmonQuiet is an aggressor script for Cobalt Strike (requires SeDebugPrivilege privilege). SysmonQuiet uses the reflective DLL loading method that automatically locates Sysmon process and patches its EtwEventWrite API, causing Sysmon malfunctioning while the process and its threads are still running. microsoft_sharepoint: PT-CR-2114: Sharepoint_Part_Logging_Exclude: A user disabled a SharePoint logging part unix_mitre_attck_defense_evasion: PT-CR-1660: Unix_Disable_Syslog: An audit daemon on a host was disabled. This could be done by attackers to hide their activity. unix_mitre_attck_defense_evasion: PT-CR-440: Unix_Log_Config_Modify: Audit daemon configuration file change sap_suspicious_user_activity: PT-CR-240: SAPASABAP_GW_Audit_Disabled: Gateway log is disabled sap_suspicious_user_activity: PT-CR-247: SAPASABAP_GW_Security_Audit_Disabled: Gateway security logs are disabled

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.

ID	DS0013	Data source and component	Sensor Health: Host Status	Description	Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data. Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Modification	Description	To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: `HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME{PROVIDER_GUID}`

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for executed processes that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Analytic 1 - Indicator Blocking - Driver Unloaded `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "fltmc.exe" AND CommandLine= "unload"`

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.
DS0013	Sensor Health: Host Status	Detect lack of reported activity from a host sensor. Different methods of blocking may cause different disruptions in reporting. Systems may suddenly stop reporting all data or only certain kinds of data. Depending on the types of host information collected, an analyst may be able to detect the event that triggered a process to stop or connection to be blocked. For example, Sysmon will log when its configuration state has changed (Event ID 16) and Windows Management Instrumentation (WMI) may be used to subscribe ETW providers that log any provider removal from a specific trace session.
DS0024	Windows Registry: Windows Registry Key Modification	To detect changes in ETW you can also monitor the registry key which contains configurations for all ETW event providers: `HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AUTOLOGGER_NAME{PROVIDER_GUID}`
DS0009	Process: Process Creation	Monitor for executed processes that may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. Analytic 1 - Indicator Blocking - Driver Unloaded `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "fltmc.exe" AND CommandLine= "unload"`

Mitigation

ID	M1022	Name	Restrict File and Directory Permissions	Description	Ensure event tracers/forwarders , firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.

ID	M1054	Name	Software Configuration	Description	Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.

ID	M1018	Name	User Account Management	Description	Ensure event tracers/forwarders , firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.

ID	Name	Description
M1022	Restrict File and Directory Permissions	Ensure event tracers/forwarders , firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.
M1054	Software Configuration	Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.
M1018	User Account Management	Ensure event tracers/forwarders , firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts.