Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1562 | Impair Defenses |
| amazon_inspector | Amazon Inspector | technique_scores | T1562 | Impair Defenses |
| aws_config | AWS Config | technique_scores | T1562 | Impair Defenses |
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1562 | Impair Defenses |
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1562 | Impair Defenses |
| aws_security_hub | AWS Security Hub | technique_scores | T1562 | Impair Defenses |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1562.004 | Disable or Modify System Firewall | 1 |
| T1562.006 | Indicator Blocking | 2 |
| T1562.007 | Disable or Modify Cloud Firewall | 2 |
| T1562.003 | Impair Command History Logging | 1 |
| T1562.001 | Disable or Modify Tools | 4 |
| T1562.008 | Disable or Modify Cloud Logs | 5 |