Common Information
| Type | Value |
|---|---|
| Value |
Indicator Blocking - T1562.006 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). For example, adversaries may modify the `File` value in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security</code> to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging) ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck). |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-28 | 49 | Operation Oxidový: Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys - Blogs on Information Technology, Network & Cybersecurity | Seqrite | ||
| Details | Website | 2023-10-10 | 21 | Malware Trends Report: Q3, 2023 - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2023-08-09 | 56 | AgentTesla Malware Targets Users with Malicious Control Panel File | ||
| Details | Website | 2023-07-13 | 43 | Threat Actor Profile: BianLian, The Shape-Shifting Ransomware Group | ||
| Details | Website | 2023-04-20 | 481 | ATT&CK Changes | ||
| Details | Website | 2023-01-19 | 19 | Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) | Mandiant | ||
| Details | Website | 2022-08-18 | 181 | APT41 World Tour 2021 on a tight schedule |