Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-2 | Account Management | Protects | T1562 | Impair Defenses | |
AC-3 | Access Enforcement | Protects | T1562 | Impair Defenses | |
AC-5 | Separation of Duties | Protects | T1562 | Impair Defenses | |
AC-6 | Least Privilege | Protects | T1562 | Impair Defenses | |
CA-7 | Continuous Monitoring | Protects | T1562 | Impair Defenses | |
CA-8 | Penetration Testing | Protects | T1562 | Impair Defenses | |
CM-2 | Baseline Configuration | Protects | T1562 | Impair Defenses | |
CM-5 | Access Restrictions for Change | Protects | T1562 | Impair Defenses | |
CM-6 | Configuration Settings | Protects | T1562 | Impair Defenses | |
CM-7 | Least Functionality | Protects | T1562 | Impair Defenses |
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1562.009 | Safe Mode Boot | 13 |
T1562.002 | Disable Windows Event Logging | 15 |
T1562.004 | Disable or Modify System Firewall | 15 |
T1562.006 | Indicator Blocking | 18 |
T1562.007 | Disable or Modify Cloud Firewall | 8 |
T1562.010 | Downgrade Attack | 4 |
T1562.003 | Impair Command History Logging | 6 |
T1562.001 | Disable or Modify Tools | 15 |
T1562.008 | Disable Cloud Logs | 8 |