T1562.006 Indicator Blocking Mappings

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.

ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations.

In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1562.006 Indicator Blocking
AC-3 Access Enforcement Protects T1562.006 Indicator Blocking
AC-5 Separation of Duties Protects T1562.006 Indicator Blocking
AC-6 Least Privilege Protects T1562.006 Indicator Blocking
CA-7 Continuous Monitoring Protects T1562.006 Indicator Blocking
CM-2 Baseline Configuration Protects T1562.006 Indicator Blocking
CM-5 Access Restrictions for Change Protects T1562.006 Indicator Blocking
CM-6 Configuration Settings Protects T1562.006 Indicator Blocking
IA-2 Identification and Authentication (organizational Users) Protects T1562.006 Indicator Blocking
SC-8 Transmission Confidentiality and Integrity Protects T1562.006 Indicator Blocking
SI-3 Malicious Code Protection Protects T1562.006 Indicator Blocking
SI-4 System Monitoring Protects T1562.006 Indicator Blocking
SI-7 Software, Firmware, and Information Integrity Protects T1562.006 Indicator Blocking
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1562.006 Indicator Blocking
azure_sentinel Azure Sentinel technique_scores T1562.006 Indicator Blocking
file_integrity_monitoring File Integrity Monitoring technique_scores T1562.006 Indicator Blocking