.svg)
.svg)
Disabling, modifying, or blocking defensive security controls is one of the most common behaviors of adversaries. Deliberately disrupting defensive mechanisms allows adversaries to execute their malicious actions without being interrupted or detected. Using the Impair Defenses technique, adversaries typically exploit weaknesses and vulnerabilities within the victims' infrastructure to undermine their defense designed to prevent unauthorized access, detection, and response.
In this blog, we explain the T1562 Impair Defenses technique of the MITRE ATT&CK® framework and how adversaries employ its sub-techniques in attack campaigns in detail.
|
The Red Report 2024
|
What are Defensive Security Controls?
Defensive security controls are measures and mechanisms implemented by organizations to protect their systems, networks, and data from cyber threats. These controls are designed to detect, prevent, or mitigate the impact of security incidents, ranging from unauthorized access and data breaches to malware infections and other malicious activities. Defensive security controls can be classified into three categories:
Preventative Defenses
Preventative security controls are designed to proactively prevent and minimize the impact of potential threats. These controls aim to create barriers and enforce security measures to prevent unauthorized access, mitigate risks, and maintain integrity and confidentiality. Some key preventative defensive controls include firewalls, Intrusion Prevention Systems (IPSs), Antivirus and Anti-Malware Software, and Web Application Firewalls (WAFs). Adversaries employ the T1562 Impair Defenses technique to dismantle or neutralize preventative security controls, enabling them to navigate, persist, and achieve their objectives within target environments.
Detective Capabilities
Organizations deploy security controls with detection capabilities to focus on the identification and response to security incidents. Unlike preventative controls, which aim to stop security incidents before they occur, detective controls are designed to detect and alert organizations to the presence of security threats or breaches, allowing for a timely response and mitigation. Some of the common detective security controls include Security Information and Event Management (SIEM), Intrusion Detection Systems (IDSs), and Endpoint Detection and Response (EDRs). Adversaries employ the T1562 Impair Defenses technique to compromise detective security controls and disrupt the incident response processes.
Supportive Mechanisms
Supportive mechanisms refer to additional tools, technologies, or processes that complement and reinforce the effectiveness of various security controls. These mechanisms work in tandem with preventive, detective, and other defensive controls to enhance an organization's overall security posture. Some of the well-known supportive mechanisms are:
- Logging systems: Windows Event Logs, Syslog, PowerShell PSReadLine, Linux's bash_history, AWS CloudWatch, AWS CloudTrail, Azure Activity Log, GCP Audit Logs.
- Auditing tools: Linux auditd, Microsoft SQL Server Audit, etc.
Adversaries degrade or block the effectiveness of supportive mechanisms with the T1562 Impair Defenses technique to weaken the target's defenses, making it easier for them to achieve their objectives without detection or effective response.
Adversary Use of Impair Defenses
After gaining initial access, adversaries aim to execute their malicious action without restrictions and stay hidden as long as possible. Also, they aim to remove any trace of compromise to disrupt incident response and malware analysis efforts. To achieve this goal, adversaries use various methods to impair preventive controls, detection capabilities, and supportive mechanisms that enable organizations to maintain their security posture. Impair Defenses technique can be implemented at multiple stages of the attack campaign for various purposes.
For example, adversaries may disable Windows Defender prior to executing malicious commands. By disabling Windows Defender, adversaries increase the likelihood of successfully executing their malicious payloads on the targeted system. Then, they may tamper with firewall configurations to evade detection and establish communication channels with their C2 server. To remove any traces of compromise, adversaries may delete Windows Event Logs and limit the victim's ability to analyze the attack.
Since organizations have a comprehensive list of security controls to defend themselves, there are numerous attack vectors against these controls utilized by adversaries.
Sub-techniques of T1562 Impair Defenses
T1562.001 Disable or Modify Tools
Security tools and utilities refer to applications designed to improve and maintain the security posture of a computer system, network, or infrastructure. While modern operating systems have many security tools as default, organizations often employ additional security tools to prevent, detect, respond to, and mitigate various cyber threats. Adversaries disable or modify these tools within a compromised environment to hinder or neutralize defensive mechanisms. Adversaries seek to disable built-in and 3rd party security tools to execute malicious action undetected and unrestricted. In this section, we will examine procedure samples used against common security tools.
1. Disabling Windows Defender & AMSI
Windows Defender is a built-in security feature developed by Microsoft for Windows operating systems. The primary purpose of Windows Defender is to protect computers and devices running Windows from a wide range of security threats, including viruses, malware, spyware, and other malicious software. Since it is in the default configuration of many Windows systems, adversaries developed novel methods to disable the Windows Defender.
To evade detection, Egregor ransomware created a Group Policy to disable Windows Defender before malware infection [1].
|
Display name: New Group Policy Object Version: 1 registry.pol content: - Key path: Software\Policies\Microsoft\Windows Defender - Data name: DisableAntiSpyware - Value type: 0x04 (REG_DWORD) - Data value: 0x01 |
In another case, Maze ransomware set scheduled tasks to launch their ransomware attack. After the tasks failed to launch, adversaries made a second attempt after disabling Windows Defender's Real-time monitoring in remote systems via WMI [2].
|
cmd /c wmic /node:<ip_address> /user:<username> /password:<password> process call create "cmd.exe /c powershell.exe -exec Bypass /c Set-MpPreference -DisableRealTimeMonitoring 1" |
Instead of disabling the Windows Defender, in some cases, adversaries were observed to modify the Windows Defender's exclusion list as the entire drive stays hidden in the compromised system [3].
|
powershell.exe Set-MpPreference -ExclusionPath \'C:\' |
In March 2023, BlackLotus UEFI bootkit malware was reported to be able to weaken the Windows Defender executable MsMpEng.exe by removing its token privileges by setting the SE_PRIVILEGE_REMOVED attribute to each of them [4]. This action prevents Windows Defender from properly scanning files in the system. Although the effect of this action can be reversed by restarting the executable, adversaries can still disable Windows Defender for a period of time prior to executing other malicious payloads.
Antimalware Scan Interface (AMSI) is another Microsoft technology designed to enhance the interaction between applications and antimalware products installed on a Windows system. AMSI was introduced with Windows 10, and it provides a standardized interface that enables software developers to request scans of content for potential malicious activity. AMSI allows applications to leverage the capabilities of installed antimalware engines, contributing to a more robust defense against various forms of malware. Adversaries disable AMSI to circumvent its advanced threat detection capabilities, allowing them to operate stealthily, execute malicious code, and maintain persistence within the compromised system.
In April 2023, adversaries were observed to use the following PowerShell script in an obfuscated format to disable AMSI. After disabling AMSI, threat actors deploy the XWORM loader and Agent Tesla infostealer malware [5].
|
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) |
2. Disabling Antivirus Software
Organizations use antivirus software as a fundamental component of their cybersecurity strategy to mitigate the risks associated with cyber threats. As a foundational layer of defense, they are used to fortify the organization's security posture alongside other security measures. Adversaries seek to disable antivirus as a strategic maneuver to circumvent detection, execute sophisticated attacks, maintain persistence, and achieve their specific malicious goals within targeted environments.
In May 2023, a threat actor named Spyboy started promoting a tool called Terminator that leverages the Bring Your Own Vulnerable Driver (BYOVD) attack. Terminator malware uses a legitimate and signed driver file, zamguard64.sys or zam64.sys belonging to Zemana Antimalware software and terminates user-mode processes of antivirus and EDR software.
3. Disabling Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) solutions continuously monitor and analyze endpoint activities in real-time, collecting vast amounts of data related to processes, network connections, file interactions, and user behaviors. They are designed to detect and respond to cybersecurity incidents at the endpoint level, addressing threats that may have bypassed traditional security measures. Similar to other security tools, adversaries aim to disable EDRs to evade detection and execute their malicious actions with a reduced risk of being discovered.
In early 2023, several ransomware groups were observed to use the AuKill tool to disable EDR processes before infecting compromised systems with ransomware payloads. AuKill malware deploys an outdated Process Explorer driver, "procexp.sys", and sends IO control code IOCTL_CLOSE_HANDLE to the driver to close the process handle. This action results in terminating the targeted process [6].
T1562.002 Disable Windows Event Logging
Windows Event Logging is a centralized mechanism for recording system and application events in the Windows operating system. Windows event logs record the operating system, application, security, setup, hardware, and user events that are used by the administrators to diagnose system problems and are used by security tools and analysts to analyze security issues. Logged Windows events, such as application installations, login attempts, elevated privileges, and created processes, are great sources for detecting anomalies that may indicate cyber attacks.
Adversaries recognize the significance of event logs in leaving traces of their activities, which can be leveraged by administrators and security professionals to detect and respond to security incidents. Adversaries subvert the fundamental logging mechanism to decrease collected logs for security audits and, accordingly, the detection rate.
By stopping or disabling the Windows Event Log service, adversaries can effectively halt the logging process, preventing critical information about their activities from being recorded. This covert action is particularly dangerous as it allows adversaries to operate within a system's environment with reduced visibility, making it challenging for defenders to identify and thwart their malicious actions.
Adversaries may target system-wide logging or logging for particular applications.
|
//Command shell example for stopping system-wide logging sc config eventlog start=disabled //PowerShell example for stopping system-wide logging Stop-Service -Name EventLog |
BabLock ransomware uses the Windows Events Command Line Utility "wevutil.exe" to delete certain types of Windows Event logs [7].
|
wevtutil.exe clear-log Application |
Another technique involves modifying the Windows Registry, a central repository of system settings and configurations. Adversaries may manipulate specific Registry entries associated with event logging, thereby disabling or altering the default logging behavior. This method provides them with a stealthy means to erase their digital footprints and evade the watchful eyes of security measures relying on event logs for anomaly detection. In their advisory, CISA reported that the LockBit ransomware group exploits the following registries to disable and delete Windows Event logs [8].
|
Registry Key |
Value |
Data |
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\* |
Enabled |
0 |
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\* \ChannelAccess |
ChannelAccess |
AO:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA) |
Moreover, adversaries may deploy more sophisticated tactics, such as leveraging privileges to modify Group Policy settings related to event logging. Group Policy is a powerful tool in Windows environments, allowing administrators to define and enforce security policies across a network. Adversaries seeking to cover their tracks may exploit vulnerabilities or employ privilege escalation techniques to modify Group Policy settings, effectively suppressing the generation of crucial event log entries.
T1562.003 Impair Command History Logging
Command history logging refers to the practice of recording and storing a chronological record of commands executed in a computer system or software environment. This feature is commonly found in command-line interfaces, where users interact with a system by entering text-based commands. Command history logging provides users with a convenient and efficient way to review and recall previously executed commands. By maintaining a log of commands, users can track their activities, understand the sequence of operations, and reproduce specific actions when needed.
Adversaries manipulate or disable the logging mechanisms that record user commands, effectively erasing the digital footprint of malicious actions. By tampering with or impairing command history logging, adversaries can hide their tracks, making it challenging for system administrators and security analysts to analyze the sequence of events, identify the nature of the incident, and respond promptly. This technique can be used against Windows, Linux, and macOS operating systems.
In a Windows environment, PowerShell stores the user's command history in a file within the user's profile directory. Adversaries tamper with the ConsoleHost_history.txt using the commands below.
|
Set-Content -Path (Get-PSReadlineOption).HistorySavePath -Value |
|
//Clearing the HISTFILE variable unset HISTFILE //Setting the command history size to zero export HISTFILESIZE=0 |
In Linux and macOS environments, the command history is written to a file pointed by the environment variable HISTFILE. When a user logs off, the history is flushed to the .bash_history file in the user's home directory. Adversaries commonly tamper with the HISTFILE environment variable to manipulate command history logging. When HISTFILE is cleared or its size is set to zero, adversaries prevent the command history logs from being created.Adversaries may also exploit the HISTCONTROL variable to manipulate command history logging. HISTCONTROL is a bash variable that controls how commands are saved on the history log. It includes a colon-separated list of values, which are:
- Ignorespace: In the history list, lines starting with a space character are not saved.
- Ignoredups: Lines matching the previous history entry are not saved.
- Ignoreboth: Shorthand for 'ignorespace' and 'ignoredups.'
- Erasedups: All previous lines matching the current line are deleted from the history list.
Qubitstrike malware uses the HISTCONTROL technique to disable the command shell history [9]. The command below prevents commands that start with a space from being saved to history logs. After adding the exception, adversaries execute commands prepended with a space without leaving a trace on the command history list.
|
export HISTCONTROL="ignorespace" |
T1562.004 Disable or Modify System Firewall
A system firewall acts as a barrier between a computer or network of computers and external threats. It functions as a protective barrier, monitoring and controlling incoming and outgoing network traffic based on predetermined security rules. The primary purpose of a system firewall is to prevent unauthorized access to or from a private network, ensuring that only legitimate and authorized communication is allowed. The firewall inspects data packets traveling across the network and determines whether they meet the specified criteria outlined in the security rules.
Firewalls are designed to monitor and control incoming and outgoing network traffic based on predetermined security rules, and by disabling or modifying its settings, adversaries can facilitate the movement of malicious traffic and data exfiltration, maintain control of a compromised system, and enable the lateral spread of malware or an attack within a network.
Adversaries often use native operating system commands or configuration interfaces to alter rules in the firewall, directly turn the firewall off, or change its settings in a way that weakens the protective measures. On Linux systems, adversaries could use 'iptables' or other command-line utilities to modify the firewall rule set or stop the firewall service entirely [10]. In the example below, P2Pinfect malware adds rules:
- to allow traffic from each of these IPs to the Redis server
- to deny all other traffic to the Redis server
- to allow all traffic to a randomly chosen port for botnet communications.
|
redis_ips=$(netstat -tnp | grep ':6379' | grep 'ESTABLISHED' | awk '{print $5}' | awk -F ':' '{print $1}' | sort -u); for ip in $redis_ips; do iptables -A INPUT -p tcp --dport 6379 -s \"$ip\" -j ACCEPT; done; iptables -A INPUT -p tcp --dport 6379 -j DROP; iptables -A INPUT -p tcp --dport <port binary listens on> -j ACCEPT |
On a Windows system, an attacker could use the 'netsh' command-line utility to modify the firewall configuration or directly interact with the Windows Firewall through the Control Panel. For example, Glupteba RAT uses the command below that adds a firewall rule allowing incoming connections to its executable [11].
|
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes |
In some cases, adversaries insert specific rules that allow traffic to and from attacker-controlled domains or IP addresses, while in other situations, they may attempt to disable logging or alert generation, which would normally be used to detect and investigate malicious activity. One of the subtle ways that adversaries modify a firewall is by adding seemingly benign exceptions that can be exploited. These could be rules that allow traffic over certain ports that the attacker knows they can use to communicate with malware or command-and-control servers. From a defender's perspective, these changes might not immediately signal a red flag because the ports could be used for legitimate services as well.
T1562.006 Indicator Blocking
Indicators are traces or signs that can be analyzed to detect and identify malicious activities within a computer network or system. System administrators and security professionals use them to recognize potential threats and respond promptly. Network traffic anomalies, file and memory artifacts, registry modifications, and endpoint anomalies are common indicators used by security operations to monitor an organization's IT infrastructure.
Adversaries obscure or obstruct various indicators that security professionals typically rely on to identify and respond to potential threats. This action allows them to remain undetected for as long as possible to maximize their access to the target network. The Indicator Blocking technique allows adversaries to disrupt security controls without disabling them. In Windows systems, adversaries use the following methods for indicator blocking:
-
Redirecting host-based sensors: Adversaries redirect the Windows Software Trace Preprocessor (WPP) logs to stdout.
|
wevtutil.exe enum-logs > "C:\ProgramData\EventLog.txt" |
-
Disabling host-based sensors: Adversaries disable Event Tracing for Windows (ETW).
|
wevtutil.exe /e:false Microsoft-Windows-WMI-Activity/Trace |
Another way to hinder security controls is to blind Event Tracing for Windows (ETW). Adversaries interfere with the normal flow of event traces by selectively disabling or modifying specific ETW providers or events related to their malicious actions. For example, the North Korean APT group Lazarus was reported to use two different methods to blind ETW [12]. The first method involves removing the kernel event provider. During system startup, several kernel ETW providers are initialized by the EtwpInitialize function, and these providers supply the data critical to security tools monitoring the system. Lazarus group uses their rootkit to identify pointers to provider registration handles and set them to NULL, making them uninitialized and inaccessible to any logging mechanisms in the kernel. The other method that the APT group uses is disabling system loggers. Adversaries use the EtwpActiveSystemLoggers mask in the structure ETW_SYSTEM_LOGGER_SETTINGS to disable the kernel's internal event tracing system. By setting the mask to zero, the system indicates that the event tracing session does not have any active providers, and events originating in the kernel stop being produced.
T1562.007 Disable or Modify Cloud Firewall
Cloud firewalls are designed to safeguard digital assets and data hosted in cloud environments. It controls and monitors incoming and outgoing network traffic, acting as a barrier between a trusted internal network and external, potentially untrusted networks, such as the Internet. Cloud firewalls operate based on predefined rules and policies, allowing or blocking specific types of traffic based on criteria such as IP addresses, protocols, and port numbers. These rules help prevent unauthorized access, malicious activities, and potential security threats.
In cloud environments, organizations often implement restrictive security groups and firewall rules to control and secure network traffic. These rules are designed to permit only authorized communication from trusted IP addresses through specified ports and protocols. However, adversaries alter these configurations to potentially open a gateway for unauthorized access and malicious activities within the victim's cloud environment using the Disable or Modify Cloud Firewall technique. This technique can have severe consequences, ranging from data breaches to the compromise of critical infrastructure and services hosted in the cloud.
Adversaries often employ this technique by manipulating the existing firewall rules. For instance, they use scripts or utilities capable of dynamically creating new ingress rules within the established security groups. These rules could be crafted to allow any TCP/IP connectivity, essentially removing the previously imposed restrictions and creating a vulnerability that enables unimpeded access. In the Capital One data breach, adversaries exploited a misconfigured web application firewall (WAF) to gain unauthorized access to sensitive customer data stored in the cloud. By modifying firewall configurations, the adversary successfully bypassed security measures, emphasizing the critical importance of robust firewall management in cloud security.
Moreover, the technique facilitates lateral movement within the cloud environment. By disabling or modifying firewall rules, adversaries can move laterally across systems and servers, potentially escalating their privileges and expanding their foothold within the compromised infrastructure.
Adversaries can leverage the altered firewall configurations to create covert channels for communication between compromised systems and external servers under their control. This enables them to maintain a persistent presence, execute commands, and receive instructions without detection. In a crypto miner attack, adversaries were able to compromise a Google Cloud App Engine Service account and change the cloud firewall configuration to allow any traffic prior to deploying hundreds of VM for crypto mining [13].
|
"request": { "@type": "type.googleapis.com/compute.firewalls.insert", "alloweds": [{ "IPProtocol": "tcp" }, { "IPProtocol": "udp" }], "direction": "EGRESS", "name": "default-allow-out", "network": "https://compute.googleapis.com/compute/vl/projects/XXXXXXX/global/networks/default", "priority": "0"} |
T1562.008 Disable or Modify Cloud Logs
Cloud logs refer to the records or entries generated by various applications, services, and systems within a cloud computing environment. These logs capture important information about events, activities, and performance metrics, offering details on what transpires within the cloud infrastructure. Cloud logs serve as a valuable resource for administrators, developers, and security personnel to gain insights into the behavior and health of their cloud-based systems.
Cloud logs can encompass a wide range of data, including error messages, user actions, system events, and resource utilization metrics. Cloud logs are often stored centrally in a dedicated logging service or platform, making it easier to aggregate and analyze data from multiple sources. Common logging services in cloud environments include AWS CloudWatch Logs, Google Cloud Logging, and Azure Monitor Logs.
Cloud environments typically offer robust logging capabilities to help organizations monitor and analyze activities within their infrastructure. However, these logging mechanisms are also potential targets for adversaries. Adversaries employ the Disable or Modify Cloud Logs technique to manipulate and evade detection within cloud computing environments. This method involves tampering or suppression of log entries to undermine detection and incident response efforts.
In Amazon Web Services (AWS), an adversary could undermine the integrity of the monitoring process by disabling CloudWatch or CloudTrail. These services are vital for capturing API calls, resource changes, and user activity. By disabling these integrations, adversaries ensure their subsequent actions are not recorded. Furthermore, adversaries may alter CloudTrail settings to stop the delivery of logs to a centralized S3 bucket, or they could delete or modify the logs directly if they have managed to gain the necessary access. Altering log integrity can be as subtle as changing the CloudTrail log file validation feature. By disabling this feature, adversaries can manipulate log files without detection. Similarly, turning off the encryption of log files or disabling multi-region logging might allow an adversary to focus their disruptions on a single region while activities in other regions remain unmonitored.
Moreover, disabling or modifying cloud logs extends beyond infrastructure and into cloud-based applications and services. For instance, in Microsoft's Office 365, adversaries can disable or circumvent logging for specific users. By using the Set-MailboxAuditBypassAssociation cmdlet, they can set a mailbox to bypass audit logging, essentially making activities performed by that user invisible to the default logging mechanism.
T1562.009 Safe Mode Boot
Safe Mode Boot is a diagnostic startup mode in operating systems, including Windows, macOS, and some Linux distributions. When a computer is booted in Safe Mode, it only loads essential system files and drivers necessary for basic functionality. It is designed to troubleshoot and resolve issues with the operating system by loading a minimal set of drivers and services, thereby isolating the system from potential problematic elements.
Safe Mode is particularly useful when a system experiences problems such as frequent crashes, freezes, or startup failures. It allows users to access the operating system in a simplified state, making it easier to pinpoint the source of the problem. Once in Safe Mode, users can uninstall recently added software, update or roll back drivers, and perform other troubleshooting steps to resolve issues.
While Safe Mode Boot is designed as a diagnostic tool for troubleshooting and resolving issues within an operating system, adversaries have ingeniously repurposed this feature to evade detection, manipulate system configurations, and facilitate their malicious activities. Adversaries often exploit Safe Mode Boot to navigate around security measures implemented by the operating system. By booting the system in Safe Mode, they ensure that only a minimal set of drivers and essential services are loaded, creating an environment where many security controls are not started. This method is particularly advantageous for adversaries seeking to infiltrate a system without triggering alarms or encountering active defenses.
Adversaries leverage the Safe Mode Boot technique to subvert security software and evade detection by antivirus programs. In Safe Mode, many security applications and services, which are crucial for real-time threat detection, may remain inactive. This creates a window of opportunity for adversaries to execute malicious code or deploy malware without immediate interference from security solutions. By exploiting this reduced security posture, adversaries increase their chances of remaining undetected during the initial stages of their attack.
The Safe Mode Boot technique also serves as an effective means for adversaries to manipulate system configurations and disable security features. In Safe Mode, certain startup items and third-party drivers are deliberately excluded, offering adversaries a controlled environment for altering system settings. This manipulation may involve disabling firewalls, antivirus programs, or other security measures that could impede their progress, allowing adversaries to establish a foothold within the compromised system and lay the groundwork for subsequent malicious activities.
In September 2023, CISA reported that the Snatch ransomware group forced the infected systems to reboot in Safe Mode with networking before encrypting sensitive files [14]. This method allows adversaries to execute the ransomware executable without worrying about antivirus or endpoint protection.
T1562.010 Downgrade Attack
In a downgrade attack, adversaries convince the target system to adopt a weaker security protocol or algorithm than the one they are capable of using. Adversaries typically abuse the system's backward compatibility to force them to use an outdated or vulnerable version.
Using the Downgrade Attack technique, adversaries circumvent updated security controls and force the system into less secure modes of operation. A prime target for such manipulation includes features like Command and Scripting Interpreters, as well as network protocols, which, when downgraded, open avenues for Man-in-the-Middle (MitM) attacks or Network Sniffing.
In the scenario involving Command and Scripting Interpreters, adversaries choose to operate using less-secure versions of interpreters, such as PowerShell. PowerShell versions 5 and above incorporate advanced security features like Script Block Logging (SBL), which records executed script content. However, savvy adversaries may attempt to execute a previous version of PowerShell that lacks support for SBL. This method not only enables them to evade detection but also allows them to impair defenses while executing malicious scripts that would have otherwise been flagged and prevented by the more advanced security controls.
In the context of network protocols, adversaries often downgrade encrypted connections to unsecured counterparts, exposing network data in clear text. For example, they might target the transition from an encrypted HTTPS connection to an unsecured HTTP connection. In doing so, adversaries compromise the confidentiality and integrity of the data in transit. This downgrade facilitates Network Sniffing, enabling the malicious actor to intercept and analyze sensitive information flowing through the network. By manipulating the security posture of network protocols, adversaries exploit the system's compatibility with less secure options to undermine the inherent protections offered by encryption. For instance, the CVE-2023-48795 vulnerability allows adversaries to launch a prefix truncation attack against SSH protocol. This attack is called the Terrapin Attack and leads to a security downgrade for SSHv2 connections during extension negotiation, causing a MitM attack [15].
One notable case involves the exploitation of vulnerabilities in the Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS). Adversaries leverage weaknesses in these protocols to force a downgrade from more secure versions to older, less secure ones, making it easier to launch attacks such as the well-known POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. In the POODLE attack, adversaries exploit the SSL/TLS downgrade to perform a padding oracle attack, compromising the confidentiality of encrypted data.
Furthermore, the exploitation of less secure versions of network protocols is evident in the manipulation of Wi-Fi protocols. Adversaries downgrade a Wi-Fi connection from the more secure WPA3 (Wi-Fi Protected Access 3) to the less secure WPA2 (Wi-Fi Protected Access 2) or even WEP (Wired Equivalent Privacy). This not only exposes the network to potential unauthorized access but also allows adversaries to exploit known vulnerabilities associated with the downgraded protocol, such as the susceptibility of WEP to key-cracking attacks. For example, the Dragonblood vulnerability found in the WPA3 protocol allows adversaries to run an offline dictionary attack by sending a downgrade-to-WPA2 request during the 4-way-handshake [16].
In September 2023, CISA reported that the Chinese APT group BlackTech used a downgrade attack on Cisco routers. After initial access, the APT group installs an old and vulnerable firmware version to routers for defense evasion and persistence [17].
T1562.011 Spoof Security Alerting
Security alerts are an integral part of security operations, and they are crucial for identifying and responding to potential threats. Knowing their importance, adversaries attempt to exploit this system by generating fake alerts that mimic legitimate security warnings. Adversaries create deceptive or misleading security alerts with the intention of tricking individuals or organizations into taking unnecessary or harmful actions. This technique is called Spoof Security Alerting, and these spoofed security alerts often imitate the appearance and language of authentic notifications to appear convincing. The goal is to deceive recipients into believing that their systems or data are at risk, prompting them to take actions that may compromise their security. Such actions could include clicking on malicious links, providing sensitive information, or downloading harmful files.
Using the Spoof Security Alerting technique, adversaries manipulate security alerts generated by defensive tools to mislead defenders and hinder their awareness of malicious activities. These defensive tools play a crucial role in providing information about potential security events, the operational status of security software, and the overall health of the system. By spoofing these security alerts, adversaries aim to present false evidence, hiding any indicators of compromise and impairing the defenders' ability to detect and respond to genuine security incidents.
The common method that adversaries employ involves creating positive affirmations that security tools are functioning correctly, even after they have successfully disabled legitimate security measures. This deceptive tactic goes beyond mere Indicator Blocking, as adversaries actively create a false sense of security among defenders. By simulating the continued functionality of security tools, the adversary aims to delay the detection of their malicious activities, allowing them to operate undetected for an extended period. For instance, adversaries disable or modify security tools such as antivirus programs or intrusion detection systems. Subsequently, they generate spoofed security alerts that falsely confirm the unaltered and operational status of these tools. This malicious action creates a misleading perception that the system remains adequately protected, even though the defensive mechanisms have been compromised. The delay in defender responses resulting from this false affirmation provides the adversary with a window of opportunity to conduct further malicious activities, such as exfiltrating sensitive data or executing additional attacks.
T1562.012 Disable or Modify Linux Audit System
The Linux Audit System is designed to provide a comprehensive framework for monitoring and logging system events in Linux operating systems. The system is introduced to address the growing need for accountability and transparency in computing environments, and it captures a detailed record of various activities and interactions occurring within the operating system, offering valuable insights for security auditing, forensics, and compliance purposes.
The Linux Audit System functions by generating detailed logs of system calls, file accesses, process creations, network activities, and other critical events. These logs are instrumental in tracking user actions, privilege escalations, and potential security incidents. By meticulously recording these events, the Linux Audit System enables system administrators and security professionals to establish a chronological timeline of activities, facilitating the identification and investigation of suspicious or unauthorized actions within the system.
The Linux Audit System, often referred to as auditd, operates at the kernel level to capture and log security-relevant information about activities in the operating system. The auditd daemon operates within the parameters set in the audit.conf configuration file and writes events to disk accordingly. The log generation rules can be configured using either the auditctl command line utility or the /etc/audit/audit.rules file, containing a sequence of auditctl commands loaded during system boot.
Adversaries disable the audit system service to prevent the logging of their malicious activities. This can be accomplished by terminating processes associated with the auditd daemon using command-line tools or by employing systemctl to halt the audit service. Disabling or modifying the audit system creates a vacuum in the audit trail, allowing adversaries to operate without leaving the customary traces that would alert administrators to their presence.
In the Disable or Modify Linux Audit System technique, adversaries often target the configuration and rule files governing the Linux Audit System. This involves editing files such as /etc/audit/audit.rules or audit.conf to manipulate the audit rules, effectively excluding specific activities from being logged. This way, adversaries can selectively disable the logging of events related to their malicious actions, rendering the Audit System blind to their activities and mitigating the risk of detection.
In another method, adversaries utilize more sophisticated techniques, such as hooking into the Audit System library functions. By doing so, they can manipulate the behavior of the Audit System dynamically, either disabling the logging functionality entirely or altering the rules in real time to evade detection. This level of sophistication allows adversaries to adapt to the evolving security landscape, making it challenging for defenders to predict and preemptively counteract their malicious maneuvers.
In July 2023, the SkidMap malware was observed using the following commands to terminate the auditd demon [18].
|
sed -i 's/RefuseManualStop=yes/RefuseManualStop=no/g' /lib/systemd/system/auditd.service |
References
[1] E. Cert, "Egregor – Prolock: Fraternal Twins ?," Cybersécurité - INTRINSEC, Nov. 12, 2020. Available: https://www.intrinsec.com/egregor-prolock/.
[2] A. Brandt and P. Mackenzie, "Maze attackers adopt Ragnar Locker virtual machine technique," Sophos News, Sep. 17, 2020. Available: https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/.
[3] R. Falcone, M. Harbison, and J. Grunzweig, "Threat Brief: Ongoing Russia and Ukraine Cyber Activity," Unit 42, Jan. 20, 2022. Available: https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/.
[4] M. Smolár, "BlackLotus UEFI bootkit: Myth confirmed." Available: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/.
[5] S. Bitam, "Attack chain leads to XWORM and AGENTTESLA." Available: https://www.elastic.co/security-labs.
[6] A. Klopsch, "'AuKill' EDR killer malware abuses Process Explorer driver," Sophos News, Apr. 19, 2023. Available: https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/.
[7] "Website." Available: https://www.group-ib.com/blog/bablock-ransomware/
[8] "#StopRansomware: LockBit 3.0," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a.
[9] "unfinished.bike," unfinished.bike, Oct. 21, 2023. Available: https://unfinished.bike/qubitstrike-and-diamorphine-linux-kernel-rootkits-go-mainstream.
[10] "Cado Security Labs Encounter Novel Malware, Redis P2Pinfect," Cado Security | Cloud Forensics & Incident Response, Jul. 31, 2023. Available: https://www.cadosecurity.com/redis-p2pinfect/.
[11] "Website." Available: https://www.group-ib.com/blog/malware-bundles/
[12] "[No title]." Available: https://www.itspy.cz/wp-content/uploads/2023/10/it_spy_2023_diplomova_prace_38.pdf.
[13] D. Alon, "Compromised Cloud Compute Credentials: Case Studies From the Wild," Unit 42, Dec. 08, 2022. Available: https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/.
[14] H. C. Yuceel, "Snatch Ransomware Explained - CISA Alert AA23-263A," Sep. 21, 2023. Available: https://www.picussecurity.com/resource/blog/snatch-ransomware-explained-cisa-alert-aa23-263a.
[15] C. Jones, "SSH shaken, not stirred by Terrapin vulnerability," The Register, Dec. 20, 2023. Available: https://www.theregister.com/2023/12/20/terrapin_attack_ssh/.
[16] "Dragonblood." Available: https://wpa3.mathyvanhoef.com.
[17] "China APT Cracks Cisco Firmware in Attacks Against the US and Japan," Sep. 27, 2023. Available: https://www.darkreading.com/threat-intelligence/china-apt-cracks-cisco-firmware-attacks-against-us-japan.
[18] R. Zdonczyk, "Honeypot Recon: New Variant of SkidMap Targeting Redis," Jul. 30, 2023. Available: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-new-variant-of-skidmap-targeting-redis/.
