1. Home
  2. ATT&CK Techniques
  3. T1562 Impair Defenses

T1562 Impair Defenses Mappings

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1562 Impair Defenses
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses
action.malware.variety.Modify data Malware which compromises a legitimate file rather than creating new filess related-to T1562 Impair Defenses
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1562 Impair Defenses

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
identity_platform Identity Platform technique_scores T1562 Impair Defenses
Comments
Identity Platform provides Admin APIs to manage users and authentication tokens. To prevent unwanted access to your users and tokens through these APIs, Identity Platform leverages IAM to manage permission to specific Identity Platform APIs. This control will ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
  1. ['https://cloud.google.com/identity-platform/docs/concepts']
policy_intelligence Policy Intelligence technique_scores T1562 Impair Defenses
Comments
Adversaries that try to disable cloud logging capabilities have the advantage to limit the amount of the data that can be collected and can possibly control not being detected. This control may be used to ensure that permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
  1. ['https://cloud.google.com/policy-intelligence']
resource_manager Resource Manager technique_scores T1562 Impair Defenses
Comments
An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. GCP allows configuration of account policies to enable logging and IAM permissions and roles to determine your ability to access audit logs data in Google Cloud resources.
References
  1. ['https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy']
security_command_center Security Command Center technique_scores T1562 Impair Defenses
Comments
SCC ingests VPC Audit logs to detect changes which would lead to changes in the security posture. This security solution protects against network modifications that are used to reduce the security perimeter, disable logs, and evade cyber-defense of a target environment. Because of the near-real time temporal factor this control was graded as significant.
References
  1. ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview'
  2. 'https://github.com/GoogleCloudPlatform/security-analytics']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_guardduty Amazon GuardDuty technique_scores T1562 Impair Defenses
Comments
GuardDuty flags the following finding type DefenseEvasion:IAMUser/AnomalousBehavior as a defense evasion technique. It looks for API calls that delete, disable, or stop operations, such as, DeleteFlowLogs, DisableAlarmActions, or StopLogging. The following Finding types are examples: Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
amazon_inspector Amazon Inspector technique_scores T1562 Impair Defenses
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
  1. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
aws_config AWS Config technique_scores T1562 Impair Defenses
Comments
This control provides significant coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. "Detect the use of insecure network services and protocols with known security weaknesses"
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
aws_iot_device_defender AWS IoT Device Defender technique_scores T1562 Impair Defenses
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. "plan the appropriate remediation to prevent unauthorized device access or data disclosure."
References
  1. https://aws.amazon.com/iot-device-defender/
  2. https://docs.aws.amazon.com/iot-device-defender
  3. https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions
  4. https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases
  5. https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics
  6. https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics
  7. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender
  8. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit
  9. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect
aws_iot_device_defender AWS IoT Device Defender technique_scores T1562 Impair Defenses
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. "you can continuously ingest and evaluate message size data, which can point to issues such as credential abuse."
References
  1. https://aws.amazon.com/iot-device-defender/
  2. https://docs.aws.amazon.com/iot-device-defender
  3. https://docs.aws.amazon.com/iot/latest/developerguide/dd-mitigation-actions
  4. https://docs.aws.amazon.com/iot/latest/developerguide/dd-detect-security-use-cases
  5. https://docs.aws.amazon.com/iot/latest/developerguide/detect-cloud-side-metrics
  6. https://docs.aws.amazon.com/iot/latest/developerguide/detect-device-side-metrics
  7. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender
  8. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-audit
  9. https://docs.aws.amazon.com/iot/latest/developerguide/device-defender-detect
aws_security_hub AWS Security Hub technique_scores T1562 Impair Defenses
Comments
AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks. 3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes This is scored as Partial because it only supports a subset of the sub-techniques (3 of 8).
References
  1. https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1562.002 Disable Windows Event Logging 3
T1562.004 Disable or Modify System Firewall 4
T1562.012 Disable or Modify Linux Audit System 3
T1562.006 Indicator Blocking 3
T1562.007 Disable or Modify Cloud Firewall 7
T1562.003 Impair Command History Logging 3
T1562.001 Disable or Modify Tools 7
T1562.011 Spoof Security Alerting 2
T1562.008 Disable or Modify Cloud Logs 11