Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Ослабление защиты
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Ослабление защиты
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Ослабление защиты

ID Name
.001 Отключение или перенастройка средств защиты
.002 Отключение журналирования событий Windows
.003 Повреждение журнала истории команд
.004 Отключение или перенастройка системного межсетевого экрана
.006 Блокировка сбора признаков активности
.007 Отключение или перенастройка облачного межсетевого экрана
.008 Disable or Modify Cloud Logs
.009 Загрузка в безопасном режиме
.010 Атака через понижение версии
.011 Spoof Security Alerting
.012 Disable or Modify Linux Audit System

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)

ID: T1562
Суб-техники:  .001 .002 .003 .004 .006 .007 .008 .009 .010 .011 .012
Тактика(-и): Defense Evasion
Платформы: Containers, IaaS, Identity Provider, Linux, macOS, Network, Office Suite, Windows
Источники данных: Cloud Service: Cloud Service Disable, Cloud Service: Cloud Service Modification, Command: Command Execution, Driver: Driver Load, File: File Deletion, File: File Modification, Firewall: Firewall Disable, Firewall: Firewall Rule Modification, Process: OS API Execution, Process: Process Creation, Process: Process Modification, Process: Process Termination, Script: Script Execution, Sensor Health: Host Status, Service: Service Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Версия: 1.6
Дата создания: 21 Feb 2020
Последнее изменение: 14 Oct 2024

Примеры процедур
Название Описание
Stuxnet

Stuxnet reduces the integrity level of objects to allow write actions.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
Magic Hound

Magic Hound has disabled LSA protection on compromised hosts using `"reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f`.(Citation: DFIR Report APT35 ProxyShell March 2022)

Контрмеры
Контрмера Описание
Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.
Execution Prevention

Block execution of code on a system through application control, and/or script blocking.
Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Обнаружение

Monitor processes and command-line arguments to see if security tools or logging services are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log events may be suspicious. Monitor environment variables and APIs that can be leveraged to disable security measures.

Ссылки

  1. The DFIR Report. (2022, November 8). Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware. Retrieved March 6, 2023.
  2. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.
  3. Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.
  4. Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.
  5. Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.
  6. Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023.
  7. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  8. Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.
  9. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.