Impair Defenses, Technique T1562 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Impair Defenses, Technique T1562 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Impair Defenses</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Impair Defenses </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Sub-techniques (11)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1562/001/" class="subtechnique-table-item" data-subtechnique_id="T1562.001"> T1562.001 </a> </td> <td> <a href="/techniques/T1562/001/" class="subtechnique-table-item" data-subtechnique_id="T1562.001"> Disable or Modify Tools </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/002/" class="subtechnique-table-item" data-subtechnique_id="T1562.002"> T1562.002 </a> </td> <td> <a href="/techniques/T1562/002/" class="subtechnique-table-item" data-subtechnique_id="T1562.002"> Disable Windows Event Logging </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/003/" class="subtechnique-table-item" data-subtechnique_id="T1562.003"> T1562.003 </a> </td> <td> <a href="/techniques/T1562/003/" class="subtechnique-table-item" data-subtechnique_id="T1562.003"> Impair Command History Logging </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/004/" class="subtechnique-table-item" data-subtechnique_id="T1562.004"> T1562.004 </a> </td> <td> <a href="/techniques/T1562/004/" class="subtechnique-table-item" data-subtechnique_id="T1562.004"> Disable or Modify System Firewall </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/006/" class="subtechnique-table-item" data-subtechnique_id="T1562.006"> T1562.006 </a> </td> <td> <a href="/techniques/T1562/006/" class="subtechnique-table-item" data-subtechnique_id="T1562.006"> Indicator Blocking </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/007/" class="subtechnique-table-item" data-subtechnique_id="T1562.007"> T1562.007 </a> </td> <td> <a href="/techniques/T1562/007/" class="subtechnique-table-item" data-subtechnique_id="T1562.007"> Disable or Modify Cloud Firewall </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/008/" class="subtechnique-table-item" data-subtechnique_id="T1562.008"> T1562.008 </a> </td> <td> <a href="/techniques/T1562/008/" class="subtechnique-table-item" data-subtechnique_id="T1562.008"> Disable or Modify Cloud Logs </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/009/" class="subtechnique-table-item" data-subtechnique_id="T1562.009"> T1562.009 </a> </td> <td> <a href="/techniques/T1562/009/" class="subtechnique-table-item" data-subtechnique_id="T1562.009"> Safe Mode Boot </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/010/" class="subtechnique-table-item" data-subtechnique_id="T1562.010"> T1562.010 </a> </td> <td> <a href="/techniques/T1562/010/" class="subtechnique-table-item" data-subtechnique_id="T1562.010"> Downgrade Attack </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/011/" class="subtechnique-table-item" data-subtechnique_id="T1562.011"> T1562.011 </a> </td> <td> <a href="/techniques/T1562/011/" class="subtechnique-table-item" data-subtechnique_id="T1562.011"> Spoof Security Alerting </a> </td> </tr> <tr> <td> <a href="/techniques/T1562/012/" class="subtechnique-table-item" data-subtechnique_id="T1562.012"> T1562.012 </a> </td> <td> <a href="/techniques/T1562/012/" class="subtechnique-table-item" data-subtechnique_id="T1562.012"> Disable or Modify Linux Audit System </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> <p>Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.</p><p>Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title=" Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024."data-reference="Google Cloud Mandiant UNC3886 2024"><sup><a href="https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023."data-reference="Emotet shutdown"><sup><a href="https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1562 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques: </span> <a href="/techniques/T1562/001">T1562.001</a>, <a href="/techniques/T1562/002">T1562.002</a>, <a href="/techniques/T1562/003">T1562.003</a>, <a href="/techniques/T1562/004">T1562.004</a>, <a href="/techniques/T1562/006">T1562.006</a>, <a href="/techniques/T1562/007">T1562.007</a>, <a href="/techniques/T1562/008">T1562.008</a>, <a href="/techniques/T1562/009">T1562.009</a>, <a href="/techniques/T1562/010">T1562.010</a>, <a href="/techniques/T1562/011">T1562.011</a>, <a href="/techniques/T1562/012">T1562.012</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/tactics/TA0005">Defense Evasion</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Containers, IaaS, Identity Provider, Linux, Network, Office Suite, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can be used to bypass or evade a particular defensive tool, methodology, or process">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Defense Bypassed: </span>Anti-virus, Digital Certificate Validation, File monitoring, Firewall, Host forensic analysis, Host intrusion prevention systems, Log analysis, Signature-based detection </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>Jamie Williams (U ω U), PANW Unit 42; Liran Ravich, CardinalOps </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>21 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>14 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1562" href="/versions/v16/techniques/T1562/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1562" href="/versions/v16/techniques/T1562/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has disabled LSA protection on compromised hosts using <code>"reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f</code>.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022"><sup><a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0603"> S0603 </a> </td> <td> <a href="/software/S0603"> Stuxnet </a> </td> <td> <p><a href="/software/S0603">Stuxnet</a> reduces the integrity level of objects to allow write actions.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 "data-reference="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011"><sup><a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1047"> M1047 </a> </td> <td> <a href="/mitigations/M1047"> Audit </a> </td> <td> <p>Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1038"> M1038 </a> </td> <td> <a href="/mitigations/M1038"> Execution Prevention </a> </td> <td> <p>Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1022"> M1022 </a> </td> <td> <a href="/mitigations/M1022"> Restrict File and Directory Permissions </a> </td> <td> <p>Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1024"> M1024 </a> </td> <td> <a href="/mitigations/M1024"> Restrict Registry Permissions </a> </td> <td> <p>Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1054"> M1054 </a> </td> <td> <a href="/mitigations/M1054"> Software Configuration </a> </td> <td> <p>Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023."data-reference="Chromium HSTS"><sup><a href="https://www.chromium.org/hsts/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/mitigations/M1018"> M1018 </a> </td> <td> <a href="/mitigations/M1018"> User Account Management </a> </td> <td> <p>Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0025"> <td> <a href="/datasources/DS0025">DS0025</a> </td> <td class="nowrap"> <a href="/datasources/DS0025">Cloud Service</a> </td>  <td> <a href="/datasources/DS0025/#Cloud%20Service%20Disable">Cloud Service Disable</a> </td> <td> <p>Monitor logs for API calls to disable logging. In AWS, monitor for: <code>StopLogging</code> and <code>DeleteTrail</code>.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020."data-reference="Stopping CloudTrail from Sending Events to CloudWatch Logs"><sup><a href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span> In GCP, monitor for: <code>google.logging.v2.ConfigServiceV2.UpdateSink</code>.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020."data-reference="Configuring Data Access audit logs"><sup><a href="https://cloud.google.com/logging/docs/audit/configure-data-access" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span> In Azure, monitor for <code>az monitor diagnostic-settings delete</code>.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020."data-reference="az monitor diagnostic-settings"><sup><a href="https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span> Additionally, a sudden loss of a log source may indicate that it has been disabled.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0025-Cloud Service Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0025/#Cloud%20Service%20Modification">Cloud Service Modification</a> </td> <td> <p>Monitor changes made to cloud services for unexpected modifications to settings and/or data.</p> </td> </tr> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td>  <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="datasource" id="uses-DS0027"> <td> <a href="/datasources/DS0027">DS0027</a> </td> <td class="nowrap"> <a href="/datasources/DS0027">Driver</a> </td>  <td> <a href="/datasources/DS0027/#Driver%20Load">Driver Load</a> </td> <td> <p>Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.</p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td>  <td> <a href="/datasources/DS0022/#File%20Deletion">File Deletion</a> </td> <td> <p>Monitor for missing log files hosts and services with known active periods.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0022-File Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0022/#File%20Modification">File Modification</a> </td> <td> <p>Monitor changes made to configuration files that contain settings for logging and defensive tools.</p> </td> </tr> <tr class="datasource" id="uses-DS0018"> <td> <a href="/datasources/DS0018">DS0018</a> </td> <td class="nowrap"> <a href="/datasources/DS0018">Firewall</a> </td>  <td> <a href="/datasources/DS0018/#Firewall%20Disable">Firewall Disable</a> </td> <td> <p>Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0018-Firewall Rule Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0018/#Firewall%20Rule%20Modification">Firewall Rule Modification</a> </td> <td> <p>Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#OS%20API%20Execution">OS API Execution</a> </td> <td> <p>Monitor for the abnormal execution of API functions associated with system logging.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0009-Process Creation"> <td></td> <td></td> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0009-Process Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0009/#Process%20Modification">Process Modification</a> </td> <td> <p>Using another process or third-party tools, monitor for modifications or access to system processes associated with logging.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0009-Process Termination"> <td></td> <td></td> <td> <a href="/datasources/DS0009/#Process%20Termination">Process Termination</a> </td> <td> <p>Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="datasource" id="uses-DS0012"> <td> <a href="/datasources/DS0012">DS0012</a> </td> <td class="nowrap"> <a href="/datasources/DS0012">Script</a> </td>  <td> <a href="/datasources/DS0012/#Script%20Execution">Script Execution</a> </td> <td> <p>Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.</p> </td> </tr> <tr class="datasource" id="uses-DS0013"> <td> <a href="/datasources/DS0013">DS0013</a> </td> <td class="nowrap"> <a href="/datasources/DS0013">Sensor Health</a> </td>  <td> <a href="/datasources/DS0013/#Host%20Status">Host Status</a> </td> <td> <p>Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious.</p> </td> </tr> <tr class="datasource" id="uses-DS0019"> <td> <a href="/datasources/DS0019">DS0019</a> </td> <td class="nowrap"> <a href="/datasources/DS0019">Service</a> </td>  <td> <a href="/datasources/DS0019/#Service%20Metadata">Service Metadata</a> </td> <td> <p>Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="datasource" id="uses-DS0002"> <td> <a href="/datasources/DS0002">DS0002</a> </td> <td class="nowrap"> <a href="/datasources/DS0002">User Account</a> </td>  <td> <a href="/datasources/DS0002/#User%20Account%20Modification">User Account Modification</a> </td> <td> <p>Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the <code>Update User</code> and <code>Change User License</code> events in the Azure AD audit log.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021."data-reference="Mandiant Defend UNC2452 White Paper"><sup><a href="https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr class="datasource" id="uses-DS0024"> <td> <a href="/datasources/DS0024">DS0024</a> </td> <td class="nowrap"> <a href="/datasources/DS0024">Windows Registry</a> </td>  <td> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Deletion">Windows Registry Key Deletion</a> </td> <td> <p>Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0024-Windows Registry Key Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification">Windows Registry Key Modification</a> </td> <td> <p>Monitor Registry edits for modifications to services and startup programs that correspond to security tools.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" target="_blank"> Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/" target="_blank"> The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank"> Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.chromium.org/hsts/" target="_blank"> Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="6.0"> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html" target="_blank"> Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://cloud.google.com/logging/docs/audit/configure-data-access" target="_blank"> Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete" target="_blank"> Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.mandiant.com/resources/blog/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452" target="_blank"> Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-techniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Impair Defenses, Technique T1562 - Enterprise | MITRE ATT&CK®