Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement protects against Impair Defenses through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-09.03 | Unauthorized software, hardware, or configuration changes | Mitigates | T1562 | Impair Defenses |
Comments
This Diagnostic Statement addresses measures for managing configuration integrity and unauthorized changes that can mitigate risks associated with adversary techniques attempting to make changes to how the hardware, software, and firmware operates.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Ensure proper Registry permissions are in place to prevent unnecessary users and adversaries from disabling or interfering with security/logging services.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement provides protection from Impair Defenses through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1562 | Impair Defenses |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. Hypervisor hardening can limit the ability of virtual machines to disable or modify security tools or configurations within the host system, making it harder for attackers to evade detection.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1562 | Impair Defenses |
Comments
This diagnostic statement protects against Impair Defenses through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1562 | Impair Defenses |
Comments
Due to low detection coverage, this technique is scored as minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1562 | Impair Defenses |
Comments
This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1562 | Impair Defenses |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| defender_for_resource_manager | Microsoft Defender for Resource Manager | technique_scores | T1562 | Impair Defenses |
Comments
This control may alert on Windows Defender security features being disabled but does not alert on other security tools or logging being disabled or tampered with. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| identity_platform | Identity Platform | technique_scores | T1562 | Impair Defenses |
Comments
Identity Platform provides Admin APIs to manage users and authentication tokens. To prevent unwanted access to your users and tokens through these APIs, Identity Platform leverages IAM to manage permission to specific Identity Platform APIs. This control will ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
|
| policy_intelligence | Policy Intelligence | technique_scores | T1562 | Impair Defenses |
Comments
Adversaries that try to disable cloud logging capabilities have the advantage to limit the amount of the data that can be collected and can possibly control not being detected. This control may be used to ensure that permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
|
| resource_manager | Resource Manager | technique_scores | T1562 | Impair Defenses |
Comments
An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. GCP allows configuration of account policies to enable logging and IAM permissions and roles to determine your ability to access audit logs data in Google Cloud resources.
References
|
| security_command_center | Security Command Center | technique_scores | T1562 | Impair Defenses |
Comments
SCC ingests VPC Audit logs to detect changes which would lead to changes in the security posture. This security solution protects against network modifications that are used to reduce the security perimeter, disable logs, and evade cyber-defense of a target environment. Because of the near-real time temporal factor this control was graded as significant.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1562 | Impair Defenses |
Comments
GuardDuty flags the following finding type DefenseEvasion:IAMUser/AnomalousBehavior as a defense evasion technique. It looks for API calls that delete, disable, or stop operations, such as, DeleteFlowLogs, DisableAlarmActions, or StopLogging. The following Finding types are examples:
Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1562 | Impair Defenses |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|
| aws_config | AWS Config | technique_scores | T1562 | Impair Defenses |
Comments
This control provides significant coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. "Detect the use of insecure network services and protocols with known security weaknesses"
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1562 | Impair Defenses |
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. "plan the appropriate remediation to prevent unauthorized device access or data disclosure."
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1562 | Impair Defenses |
Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal. "you can continuously ingest and evaluate message size data, which can point to issues such as credential abuse."
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1562 | Impair Defenses |
Comments
AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes
This is scored as Partial because it only supports a subset of the sub-techniques (3 of 8).
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1562.009 | Safe Mode Boot | 19 |
| T1562.002 | Disable Windows Event Logging | 17 |
| T1562.004 | Disable or Modify System Firewall | 21 |
| T1562.012 | Disable or Modify Linux Audit System | 14 |
| T1562.006 | Indicator Blocking | 26 |
| T1562.007 | Disable or Modify Cloud Firewall | 17 |
| T1562.010 | Downgrade Attack | 12 |
| T1562.003 | Impair Command History Logging | 10 |
| T1562.001 | Disable or Modify Tools | 25 |
| T1562.011 | Spoof Security Alerting | 7 |
| T1562.008 | Disable or Modify Cloud Logs | 19 |