Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-16 | Authorization Mechanisms | mitigates | T1562 | Impair Defenses |
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
|
| I&S-04 | OS Hardening and Base Controls | mitigates | T1562 | Impair Defenses |
Comments
This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Use of application control, especially regarding the execution of tools outside of security policies, and ensuring that only approved security applications are used can prevent adversaries from maliciously modifying an environment to hinder or disable defensive mechanisms.
References
|
| UEM-05 | Endpoint Management | mitigates | T1562 | Impair Defenses |
Comments
This control provides for the implementation of best practices for endpoint management. Malicious modification of preventative defenses and detection capabilities can be mitigated by implementing application control, script blocking, and other execution prevention mechanisms.
References
|
| UEM-05 | Endpoint Management | mitigates | T1562 | Impair Defenses |
Comments
This control provides for the implementation of best practices for endpoint management. Preventing insecure connections and ensuring proper permissions can help mitigate the risk of adversaries hindering or disabling preventative defenses.
References
|
| UEM-10 | Software Firewall | mitigates | T1562 | Impair Defenses |
Comments
This control describes how CSPs and CSCs must install, update, and properly configure endpoint and software-defined firewalls, regularly review and approve firewall rule changes, and monitor traffic for anomalies and malicious code. These mitigative actions help prevent unauthorized access, block threats, and ensure only approved firewall rules are active.
References
|
| LOG-10 | Audit Records Protection | mitigates | T1562 | Impair Defenses |
Comments
This control requires both CSP and CSC to independently protect audit logs by enforcing strict access controls, encryption, isolated log environments, continuous monitoring, vulnerability management, and so forth for investigations or legal proceedings.
References
|
| LOG-04 | Audit Logs Access and Accountability | mitigates | T1562 | Impair Defenses |
Comments
This control requires both CSP and CSC to restrict audit log access using RBAC, MFA, least privilege, and separation of duties, so that only authorized personnel can access sensitive logs and any access is traceable and secure. These set of controls are in place to ensure that proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
References
|
| LOG-02 | Audit Logs Protection | mitigates | T1562 | Impair Defenses |
Comments
This control requires both CSP and CSC to independently protect and retain audit logs by implementing controls such as, centralized logging, secure and tamper-evident storage, access restrictions, regular monitoring and review ensuring logs remain available and trustworthy for investigations and protected against any improper modification and tampering.
References
|
| IAM-05 | Least Privilege | mitigates | T1562 | Impair Defenses |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
Adversaries have been known to introduce new firewall rules or policies to allow access into a victim cloud environment and/or disable cloud logs to evade defenses. For this technique, in terms of mitigation, configure and ensure least privilege principles are applied to Identity and Access Management (IAM) security policies to prevent only necessary users to modify certain security mechanisms in place.
References
|
| UEM-14 | Third-Party Endpoint Security Posture | mitigates | T1562 | Impair Defenses |
Comments
This control provides for the implementation of best practices for third-party endpoint management. Preventing insecure connections and ensuring proper permissions can help mitigate the risk of adversaries hindering or disabling preventative defenses.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1562.002 | Disable Windows Event Logging | 3 |
| T1562.004 | Disable or Modify System Firewall | 1 |
| T1562.012 | Disable or Modify Linux Audit System | 3 |
| T1562.007 | Disable or Modify Cloud Firewall | 5 |
| T1562.001 | Disable or Modify Tools | 7 |
| T1562.008 | Disable or Modify Cloud Logs | 5 |