T1562

Windows IaaS Linux macOS Containers Network Devices Identity Provider Office Suite ESXi
Impair Defenses

Description

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior.

This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process.

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.

Sub-techniques

T1562.001 — Disable or Modify Tools T1562.002 — Disable Windows Event Logging T1562.003 — Impair Command History Logging T1562.004 — Disable or Modify System Firewall T1562.006 — Indicator Blocking T1562.007 — Disable or Modify Cloud Firewall T1562.008 — Disable or Modify Cloud Logs T1562.009 — Safe Mode Boot T1562.010 — Downgrade Attack T1562.011 — Spoof Security Alerting T1562.012 — Disable or Modify Linux Audit System T1562.013 — Disable or Modify Network Device Firewall