T1562.006
Impair Defenses: Indicator Blocking
Description from ATT&CK
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/
Atomic Tests
Atomic Test #1 - Auditing Configuration Changes on Linux Host
Emulates modification of auditd configuration files
Supported Platforms: linux
auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf |
auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf |
libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
Cleanup Commands:
1
2
3
4
5
6
7
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}
Atomic Test #2 - Lgging Configuration Changes on Linux Host
Emulates modification of syslog configuration.
Supported Platforms: linux
auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf |
rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf |
syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
10
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi
Cleanup Commands:
1
2
3
4
5
6
7
8
9
10
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fi