T1562.006 Indicator Blocking
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting3 or even disabling host-based sensors, such as Event Tracing for Windows (ETW)4, by tampering settings that control the collection and flow of event telemetry.5 These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.
For example, adversaries may modify the File
value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.1
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider
cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors 2.
Item | Value |
---|---|
ID | T1562.006 |
Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011 |
Tactics | TA0005 |
Platforms | Linux, Windows, macOS |
Version | 1.2 |
Created | 19 March 2020 |
Last Modified | 12 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
S1063 | Brute Ratel C4 | Brute Ratel C4 has the ability to hide memory artifacts and to patch Event Tracing for Windows (ETW) and the Anti Malware Scan Interface (AMSI).87 |
S0377 | Ebury | Ebury can hook logging functions so that nothing from the backdoor gets sent to the logging facility.14 |
S0697 | HermeticWiper | HermeticWiper has the ability to set the HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled Registry key to 0 in order to disable crash dumps.91011 |
S0579 | Waterbear | Waterbear can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection.13 |
S1065 | Woody RAT | Woody RAT has suppressed all error reporting by calling SetErrorMode with 0x8007 as a parameter.12 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1022 | Restrict File and Directory Permissions | Ensure event tracers/forwarders 6, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. |
M1054 | Software Configuration | Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations. |
M1018 | User Account Management | Ensure event tracers/forwarders 6, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls and cannot be manipulated by user accounts. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0013 | Sensor Health | Host Status |
DS0024 | Windows Registry | Windows Registry Key Modification |
References
-
Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022. ↩
-
Manoj Ahuje. (2022, April 21). LemonDuck Targets Docker for Cryptomining Operations. Retrieved June 30, 2022. ↩
-
Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018. ↩
-
Microsoft. (2018, May 30). About Event Tracing. Retrieved June 7, 2019. ↩
-
Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved June 7, 2019. ↩
-
Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018. ↩↩
-
Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023. ↩
-
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. ↩
-
Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. ↩
-
Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. ↩
-
Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. ↩
-
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. ↩
-
Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. ↩
-
M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. ↩