Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1562 | Impair Defenses | |
| AC-3 | Access Enforcement | Protects | T1562 | Impair Defenses | |
| AC-5 | Separation of Duties | Protects | T1562 | Impair Defenses | |
| AC-6 | Least Privilege | Protects | T1562 | Impair Defenses | |
| CA-7 | Continuous Monitoring | Protects | T1562 | Impair Defenses | |
| CA-8 | Penetration Testing | Protects | T1562 | Impair Defenses | |
| CM-2 | Baseline Configuration | Protects | T1562 | Impair Defenses | |
| CM-5 | Access Restrictions for Change | Protects | T1562 | Impair Defenses | |
| CM-6 | Configuration Settings | Protects | T1562 | Impair Defenses | |
| CM-7 | Least Functionality | Protects | T1562 | Impair Defenses | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1562 | Impair Defenses | |
| IA-4 | Identifier Management | Protects | T1562 | Impair Defenses | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1562 | Impair Defenses | |
| SI-3 | Malicious Code Protection | Protects | T1562 | Impair Defenses | |
| SI-4 | System Monitoring | Protects | T1562 | Impair Defenses | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1562 | Impair Defenses | |
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1562 | Impair Defenses |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1562 | Impair Defenses |
Comments
This control only provides coverage for a miniority of the sub-techniques under this technique and provides no coverage for other relevant sub-techniques, such as Impair Command History Logging or Disable or Modify Tools, resulting in a score of Minimal.
References
|
| azure_defender_for_resource_manager | Azure Defender for Resource Manager | technique_scores | T1562 | Impair Defenses |
Comments
This control may alert on Windows Defender security features being disabled but does not alert on other security tools or logging being disabled or tampered with. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1562 | Impair Defenses |
Comments
This control provides minimal (mostly) to partial coverage for most of this technique's sub-techniques, resulting in an overall score of Minimal.
The Azure Sentinel Hunting "Anomalous Defensive Mechanism Modification" query detects users performing delete operations on security policies, which may indicate an adversary attempting to impair defenses.
References
|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1562 | Impair Defenses |
Comments
Due to low detection coverage, this technique is scored as minimal.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1562.008 | Disable Cloud Logs | 7 |
| T1562.002 | Disable Windows Event Logging | 14 |
| T1562.007 | Disable or Modify Cloud Firewall | 7 |
| T1562.004 | Disable or Modify System Firewall | 16 |
| T1562.001 | Disable or Modify Tools | 17 |
| T1562.003 | Impair Command History Logging | 4 |
| T1562.006 | Indicator Blocking | 16 |