T1562 Impair Defenses
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out of a computer or stopping it from being shut down. These restrictions can further enable malicious operations as well as the continued propagation of incidents.1
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
| Item | Value |
|---|---|
| ID | T1562 |
| Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011 |
| Tactics | TA0005 |
| Platforms | Containers, IaaS, Linux, Network, Office 365, Windows, macOS |
| Version | 1.4 |
| Created | 21 February 2020 |
| Last Modified | 15 April 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0059 | Magic Hound | Magic Hound has disabled LSA protection on compromised hosts using "reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f.3 |
| S0603 | Stuxnet | Stuxnet reduces the integrity level of objects to allow write actions.2 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings. |
| M1038 | Execution Prevention | Use application control where appropriate, especially regarding the execution of tools outside of the organization’s security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems. |
| M1022 | Restrict File and Directory Permissions | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
| M1024 | Restrict Registry Permissions | Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
| M1018 | User Account Management | Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0025 | Cloud Service | Cloud Service Disable |
| DS0017 | Command | Command Execution |
| DS0027 | Driver | Driver Load |
| DS0018 | Firewall | Firewall Disable |
| DS0009 | Process | Process Creation |
| DS0012 | Script | Script Execution |
| DS0013 | Sensor Health | Host Status |
| DS0019 | Service | Service Metadata |
| DS0002 | User Account | User Account Modification |
| DS0024 | Windows Registry | Windows Registry Key Deletion |
References
-
The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023. ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. ↩
-
Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021. ↩
-
Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020. ↩
-
Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020. ↩
-
Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020. ↩