Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1562 | Impair Defenses | |
| AC-3 | Access Enforcement | Protects | T1562 | Impair Defenses | |
| AC-5 | Separation of Duties | Protects | T1562 | Impair Defenses | |
| AC-6 | Least Privilege | Protects | T1562 | Impair Defenses | |
| CA-7 | Continuous Monitoring | Protects | T1562 | Impair Defenses | |
| CA-8 | Penetration Testing | Protects | T1562 | Impair Defenses | |
| CM-2 | Baseline Configuration | Protects | T1562 | Impair Defenses | |
| CM-5 | Access Restrictions for Change | Protects | T1562 | Impair Defenses | |
| CM-6 | Configuration Settings | Protects | T1562 | Impair Defenses | |
| CM-7 | Least Functionality | Protects | T1562 | Impair Defenses |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1562 | Impair Defenses | |
| action.malware.variety.Modify data | Malware which compromises a legitimate file rather than creating new filess | related-to | T1562 | Impair Defenses |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1562 | Impair Defenses | Comments
This control provides significant coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1562 | Impair Defenses | Comments
GuardDuty flags the following finding type DefenseEvasion:IAMUser/AnomalousBehavior as a defense evasion technique. It looks for API calls that delete, disable, or stop operations, such as, DeleteFlowLogs, DisableAlarmActions, or StopLogging. The following Finding types are examples:
Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1562 | Impair Defenses | Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1562 | Impair Defenses | Comments
This control provides partial coverage for a minority of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1562 | Impair Defenses | Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Furthermore, Amazon Inspector only supports a subset of the sub-techniques for this technique. Due to these things and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1562 | Impair Defenses | Comments
AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes
This is scored as Partial because it only supports a subset of the sub-techniques (3 of 8).
References
|
Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1562.008 | Disable Cloud Logs | 12 |
| T1562.002 | Disable Windows Event Logging | 14 |
| T1562.007 | Disable or Modify Cloud Firewall | 9 |
| T1562.004 | Disable or Modify System Firewall | 15 |
| T1562.001 | Disable or Modify Tools | 18 |
| T1562.003 | Impair Command History Logging | 6 |
| T1562.006 | Indicator Blocking | 16 |