1. Home
  2. ATT&CK Techniques
  3. T1562 Impair Defenses

T1562 Impair Defenses Mappings

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
resourcemanager ResourceManager technique_scores T1562 Impair Defenses
Comments
An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. GCP allows configuration of account policies to enable logging and IAM permissions and roles to determine your ability to access audit logs data in Google Cloud resources.
References
  1. https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy
identityplatform IdentityPlatform technique_scores T1562 Impair Defenses
Comments
Identity Platform provides Admin APIs to manage users and authentication tokens. To prevent unwanted access to your users and tokens through these APIs, Identity Platform leverages IAM to manage permission to specific Identity Platform APIs. This control will ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
  1. https://cloud.google.com/identity-platform/docs/concepts
security_command_center Security Command Center technique_scores T1562 Impair Defenses
Comments
SCC ingests VPC Audit logs to detect changes which would lead to changes in the security posture. This security solution protects against network modifications that are used to reduce the security perimeter, disable logs, and evade cyber-defense of a target environment. Because of the near-real time temporal factor this control was graded as significant.
References
  1. https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview
  2. https://github.com/GoogleCloudPlatform/security-analytics
policy_intelligence Policy Intelligence technique_scores T1562 Impair Defenses
Comments
Adversaries that try to disable cloud logging capabilities have the advantage to limit the amount of the data that can be collected and can possibly control not being detected. This control may be used to ensure that permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
  1. https://cloud.google.com/policy-intelligence

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1562.008 Disable Cloud Logs 4
T1562.002 Disable Windows Event Logging 1
T1562.007 Disable or Modify Cloud Firewall 3
T1562.004 Disable or Modify System Firewall 1
T1562.001 Disable or Modify Tools 1