Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1562.001 | Impair Defenses: Disable or Modify Tools |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_config | AWS Config | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The "ec2-managedinstance-applications-required" managed rule verifies that all applications in a pre-defined list of requirements are installed on specified managed instances, and is run on configuration changes. It will not detect modification to those applications, but will detect if they are uninstalled. The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances, and can be used to detect installation of applications below a minimum version, which can identify adversary attempts to downgrade required tools to insecure or ineffective older versions. Given the host-based scoping of this technique, coverage is partial, resulting in an overall score of Partial.
References
|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The following GuardDuty findings provide indicators of malicious activity in defense measures:
Stealth:IAMUser/CloudTrailLoggingDisabled Stealth:IAMUser/PasswordPolicyChange Stealth:S3/ServerAccessLoggingDisabled Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1562.001 | Disable or Modify Tools |
Comments
AWS Security Hub performs checks from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting changes to key AWS services. AWS Security Hub provides these detections with the following checks.
3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes 3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes 3.10 Ensure a log metric filter and alarm exist for security group changes 3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) 3.12 Ensure a log metric filter and alarm exist for changes to network gateways 3.13 Ensure a log metric filter and alarm exist for route table changes 3.14 Ensure a log metric filter and alarm exist for VPC changes
This is scored as Significant because it can detect when changes are made to key AWS services (e.g., CloudTrail, Config, etc.) such as when they stop logging or other configuration changes are made.
References
|