MITRE ATT&CK T1562 Impair Defenses

In 2019, Picus Labs analyzed 48813 malware to determine tactics, techniques, and procedures (TTPs) used by adversaries in these malicious files. Picus Labs categorized each observed TTP by utilizing the MITRE ATT&CK® framework. As a result of the present research, 445018 TTPs observed in the last year were mapped to ATT&CK to identify the top 10 most common techniques used by attackers. Our research has found that Impair Defenses was the tenth most prevalent ATT&CK technique used by adversaries in their malware.

Executive Summary

Disabling, modifying, or blocking defensive security controls is one of the most common behaviors of adversaries. The MITRE ATT&CK Framework categorizes this type of malicious actions under the “T1562 Impair Defenses” technique. This technique contains, impairing preventive security controls, detection capabilities, and other mechanisms that assist in preventing and detecting, such as Windows Event Logging. Our research has found that Impair Defenses is the tenth most prevalent ATT&CK technique used by adversaries [1]

Introduction

Defensive security controls prevent or detect adversaries’ malicious actions by determining the attack indicators, from the hash level to TTPs (Tactics, Techniques and Procedures) level of the pyramid of pain [2]. Adversaries frequently use defense evasion techniques to stay under the radar of security controls and achieve their goals. It came as no surprise that the most prevalent ATT&CK tactics are Defense Evasion and Execution, according to our analysis of 48813 malware samples [1].

Our research shows that the most used Defense Evasion technique is T1055 Process Injection, which is also a Privilege Escalation technique used in 19% of analyzed malware samples. The second most prevalent Defense Evasion technique is T1036 Masquerading. This technique includes changing features of malicious artifacts such as malware files and processes, with legitimate software and processes to evade detection by users and security controls.

T1562 Impair Defenses is the last Defense Evasion technique in our 10 Critical ATT&CK Techniques list, which includes disabling or blocking defensive security controls by modifying the victim environment. This technique involves impairing

• preventative defenses such as firewalls, IPSs, antivirus
• detection capabilities that are used to identify malicious behavior
• supportive mechanisms, such as Windows Event Logging.

In this article, we review:

• the fundamentals of the Impair Defenses technique
• updates on the technique in the new version of the ATT&CK framework
• sub-techniques of the Impair Defenses technique 
• use cases of these sub-techniques by threat actors and malware
• red and blue team exercises for this technique

Changes in the New Version of the MITRE ATT&CK Framework

The July 2020 (v7) ATT&CK release is the first non-beta release of Enterprise ATT&CK represented with sub-techniques [3]. A MITRE ATT&CK sub-technique is a way to describe a specific implementation of a technique in more detail. 

In the new sub-technique version of the MITRE ATT&CK Framework, the T1562 Impair Defenses technique includes five sub-techniques:

• T1562.001 Disable or Modify Tools: This sub-technique was the T1089 Disabling Security Tools technique in the previous version.
• T1562.002 Disable Windows Event Logging: It is a new sub-technique.
• T1562.003 HISTCONTROL: This sub-technique was the T1148 HISTCONTROL technique in the previous version
• T1562.004 Disable or Modify System Firewall: It is a new sub-technique
• T1562.006 Indicator Blocking: This sub-technique was the T1054 Indicator Blocking technique in the previous version.
• T1562.007 Disable or Modify Cloud Firewall: It is a new sub-technique.

Impair Defenses Sub-techniques

1. T1562.001 Disable or Modify Tools

   The most prevalent “Impair Defenses” sub-technique is Disable or Modify Tools. Adversaries use the following methods to disable or modify security tools:

   • Killing security software processes: Malware developers use the taskkill [4] command to end one or more processes of the security tools. For example, the WastedLocker ransomware kills the sfc.exe process of the Cisco Advanced Malware Protection (AMP) for Endpoints product by using the following command [4], [5]:
   • C:\Windows\system32\taskkill.exe /F /IM sfc.exe
   • Adding/removing/modifying registry keys of security tools: Adversaries modify Windows Registry to disable features of the security tools. For example, the following command is used to disable Windows Defender’s real-time protection:
   • reg add \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"
   • Using components of the security tools: Adversaries also utilize components of the security tools to disable them. For example, WastedLocker uses the following command to disable Windows Defender and delete its signature list (definitions) [4], [5]:
   • C:\Program Files\Windows Defender\MpCmdRun.exe -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true

   As an interesting example, the NetWalker ransomware includes uninstallers of endpoint security products to completely remove them, such as ESET AV Remover, Trend Micro’s Security Agent Uninstall Tool, and Microsoft Security Client Uninstall [6].

   • Creating exclusions for malware artifacts: Adversaries use some methods to prevent security tools from scanning or reporting malicious files and behaviors. For example, the KryptoCibule cryptocurrency miner and stealer malware issues the following command to exclude its install path from Windows Defender automatic scanning [7]:
     • powershell -c “Add-MpPreference -ExclusionPath ‘<install path>'”
       
       

2. T1562.002 Disable Windows Event Logging

   Windows event logs record the operating system, application, security, setup, hardware, and user events that are used by the administrators to diagnose system problems and are used by security tools and analysts to analyze security issues. Logged Windows events, such as application installations, login attempts (success and failures), elevated privileges, and created processes, are great sources for detecting anomalies that may indicate cyber attacks.

   Disabling Windows event logging decreases collected logs for security audits; accordingly, the detection rate. Thus, adversaries use this technique to impair defenses by targeting:

   • System-wide logging: Adversaries may completely disable Windows event logging. For example, the Zeppelin ransomware uses the following command to block the start of the Windows event logging mechanism [8]:
     • sc config eventlog start=disabled
   • Logging mechanism of a particular application: The Bronze Union threat group disables HTTP logging of the IIS application by using appcmd.exe with the following command [9]:
     • C:\Windows\System32\inetsrv\appcmd.exe set config "Default Web Site/" /section:httplogging /dontLog:true
       
       

3. T1562.003 HISTCONTROL

   Histcontrol is a bash variable that controls how commands are saved on the history list [10]. It includes a colon-separated list of values, which are:

   • Ignorespace: In the history list, lines starting with a space character are not saved.

   • Ignoredups: Lines matching the previous history entry are not saved.

   • Ignoreboth: Shorthand for ‘ignorespace’ and ‘ignoredups’.

   • Erasedups: All previous lines matching the current line are deleted from the history list.

   Therefore, export HISTCONTROL="ignorespace" command prevents the saving of commands that start with space. So, the " cat /etc/passwd" command (note the space character) will not be saved, but the "cat /etc/passwd" command will be saved by history. Therefore, prepending a space to commands allows adversaries to run commands without leaving traces on the command history list.

4. T1562.004 Disable or Modify System Firewall

   Adversaries may disable or modify system firewalls to enable:

   • bypass network controls
   • Command and Control (C2) communications
   • lateral movement
   • data exfiltration

    

   Adversaries use the following utilities to disable or modify system firewall :

   • Command-line utilities: Following commands can be used to disable/stop/modify firewalls in Windows and Linux systems:
     • netsh: Netsh is a command-line tool that allows the network configuration to be displayed or changed [11]. For example:
       • TangoCharlie malware used the following command to allow inbound TCP connections [12]:
         netsh advfirewall firewall add rule name=CoreNetworkingHTTPS dir=in action=allow Protocol=TCP
       • AVE_MARIA infostealer malware enables inbound connection to the RDP port 3389 [13]:
         netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
       • Eterock malware adds the following rule to enable communication of the dropped malicious file:
         netsh firewall add allowedprogram C:\Program Files\Microsoft Updates\svchost.exe "Microsoft Update Service" ENABLE
     • net.exe: net.exe can be used to stop a service, like MpsSvc, which is the Windows Defender Firewall service. For example, DarkHotel’s Asruex malware attempts to Disable Windows Firewall service using the following command
       • net stop MpsSvc
     • sc.exe: sc.exe can be used to disable starting a service [14]. DarkHotel’s Asruex malware also disable starting of the Windows Firewall service using the following command:
       • cs config MpsSvc start= disabled
     • firewalld: Firewalld is a firewall management tool for some Linux distributions such as CentOS, RHEL, Fedora, and SUSE. The following command can be used to disable and stop firewalld:
       • systemctl disable firewalld
       • systemctl stop firewalld
   • Windows registry keys: Kimsuky malware disable the system firewall by zeroing out related values in the registry with the following command
     • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
       EnableFirewall = 0
       
   • Windows Control Panel: Attackers can also use Windows Control Panel if they have remote desktop access to the victim machine
     
     
5. T1562.006 Indicator Blocking
   

   Since disabling or stopping a security control can be detected easily, some adversaries prefer blocking indicators or events that are used to detect malicious behavior instead. Adversaries use the following methods for indicator blocking:

   • Redirecting host-based sensors: Lamin backdoor redirects the Windows Software Trace Preprocessor (WPP) logs to stdout. Kraken ransomware uses the following command for redirection:
   • wevtutil.exe enum-logs > "C:\ProgramData\EventLog.txt"
   • Disabling host-based sensors: For example, LockerGoga ransomware disables Event Tracing for Windows (ETW) using the following command:
   • wevtutil.exe /e:false Microsoft-Windows-WMI-Activity/Trace 

   Blocking traffic: Some malware block traffic associated with reporting to prevent analysis. For example, they create a host-based firewall rule to block traffic to SIEMs or event aggregator products.

6. T1562.007 Disable or Modify Cloud Firewall

   In addition to host-based firewalls, adversaries may modify firewall rules within a cloud environment. For example, adversaries used Python scripts that include AWS Command Line Interface (CLI) commands to add backdoors to all cloud security groups for allowing any TCP/IP access into the victim’s environment [15]