Defense Evasion Flashcards
Defense Evasion
This lesson is going to cover the fifth stage in the MITRE ATT&CK framework, Defense Evasion. These techniques are used to describe ways that adversaries will work to evade or disable security defenses such as antivirus, endpoint detection and response, logging, and human analysts to ensure they can remain in the network for as long as possible. At the time of writing this stage currently includes a crazy 38 top-level techniques! We will be looking at the following:
Impair Defenses, T1562 (6 sub-techniques)
Indicator Removal on Host, T1070 (6 sub-techniques)
Impair Defenses
MITRE Technique T1562
The Impair Defenses technique is all about disrupting the normal operation of security tools, from firewalls and antivirus to actually targeting logging and aggregation tools to prevent or disrupt the flow of events likely into a SIEM platform to make it harder for both the SIEM correlation engine and human analysts to detect the malicious activity. Let’s take a look at the sub-techniques:
Disable of Modify Tools – “Adversaries may disable security tools to avoid detection. This can take the form of killing security software or event logging processes or other methods to interfere with security tools scanning or reporting information.”
Disable Windows Event Logging – “Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. This data is used by security tools and analysts to generate detections. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.”
HISTCONTROL – “Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out”.
Disable or Modify System Firewall – “Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules.”
Indicator Blocking – “An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.”
Disable or Modify Cloud Firewall – “Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.”
Impair Defenses 2
We also have some pretty standard detection suggestions. Depending on the tools that an organization is using they will need to adapt their detections based on the registry keys or core files created. As mentioned in the screenshot below logging should be enabled for processes (using Sysmon) and command-line (CMD and PowerShell) to detect any processes being killed.
Indicator Removal
MITRE Technique T1070
When adversaries take actions on a system, they’re going to be leaving behind a number of artefacts that defenders can discover and use to create a timeline of actions that were conducted. From file times being modified when they’re opened to system logs and open ports, if adversaries want to survive in the network for extended periods of time they will need to remove these artefacts before they’re discovered. Some examples include:
Deleting bash history
Deleting files (such as malicious files downloaded to the system by the adversary)
Deleting raw log files (provided the adversary has SYSTEM or SUDO privileges)
Timestomping (Changing file timestamps so its not immediately clear files were accessed)
And more
Before we jump into some real-world examples, let’s take a look at the sub-techniques:
There are a number of different ways that a threat actor could cover their tracks by removing logs or artifacts they have generated while interacting with a system. The above includes examples of ways to remove traces of a user’s presence on Windows, Linux, and Mac OS systems.
The below screenshot shows part of the Procedure Examples table, and we have some really interesting cases here! For the malware named ‘Goopy’ we can see that it will use emails for command-and-control, and then delete them so they’re not present on the infected system. PoetRAT at the bottom is clever, and can detect when it is ran in a sandbox and will delete itself to prevent researchers or security from conducting analysis.
Indicator Removal 2
For mitigations, MITRE keeps it simple. Hide your logs, ensure no one can tamper with them, and minimalize the time between a log being generated and it is forwarded to an aggregation point so it can be ingested by the SIEM. Once it’s stored there, the chance of it being modified or deleted by an adversary is extremely low.
