1. Home
  2. Techniques
  3. Enterprise
  4. 妨碍防御

妨碍防御

ID Name
T1562.001 安全服务动态卸载
T1562.002 日志策略篡改
T1562.003 防御规则污染
T1562.004 可信进程注入

妨碍防御指攻击者通过技术手段破坏或削弱目标环境中的安全防护机制,包括禁用预防性防御(如杀毒软件、防火墙)、破坏检测能力(如日志系统、审计功能)以及干扰防御运维流程(如阻断系统更新)。传统检测方法主要通过监控安全服务状态变更、分析日志完整性以及检测防御规则异常来实现,例如追踪安全进程的异常终止、监控关键注册表项修改等。

为规避传统检测机制,攻击者发展出多维度的隐蔽妨碍防御技术,通过动态功能卸载、前置策略篡改、规则逻辑污染及信任链劫持等手法,在保持防御系统表面正常运行的同时,精准破坏其核心防护能力,形成"形存实亡"的防御失效状态。

现有妨碍防御匿迹技术的核心逻辑聚焦于防御机制的内部瓦解与信任体系滥用。攻击者不再采用暴力终止进程或直接删除文件等显性手段,而是深入防御系统运作机理实施精准打击:安全服务动态卸载通过内存热修补技术静默剥离检测功能,保留服务外壳规避状态监控;日志策略篡改从数据采集源头实施污染,使攻击行为"从未发生"于日志系统;防御规则污染利用机器学习模型的对抗样本原理,构造诱导性规则误导检测逻辑;可信进程注入则完全寄生在系统信任链中,将恶意操作伪装成合法进程行为。这些技术的共性在于突破传统对抗界面,转而攻击防御系统的内部控制流与数据流,通过合法机制实现非法目的,使得基于行为特征或状态变更的传统检测方法完全失效。

ID: T1562
Sub-techniques:  T1562.001, T1562.002, T1562.003, T1562.004
Tactic: 防御规避
Platforms: Containers, IaaS, Identity Provider, Linux, Network, Office Suite, Windows, macOS
Defense Bypassed: Anti-virus, Digital Certificate Validation, File monitoring, Firewall, Host forensic analysis, Host intrusion prevention systems, Log analysis, Signature-based detection
Contributors: Jamie Williams (U ω U), PANW Unit 42; Liran Ravich, CardinalOps
Version: 1.6
Created: 21 February 2020
Last Modified: 14 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过滥用系统合法管理接口(如Windows组策略、Linux systemctl)实施防御削弱操作,将恶意配置变更伪装成正常运维行为。例如使用PowerShell执行合法的服务配置命令来禁用杀毒软件,使操作记录符合管理员日常维护特征,难以通过命令行审计发现异常。

行为透明

部分子技术(如可信进程注入)利用零日漏洞或未公开的API调用链实施防御削弱,传统基于已知行为模式的检测机制无法识别。攻击者通过逆向分析安全软件内部机制,发现并利用其特权进程的内存操作漏洞,实现完全隐蔽的防御功能破坏。

数据遮蔽

在日志策略篡改等子技术中,攻击者通过加密篡改后的配置文件(如使用DPAPI加密注册表项)、清除操作痕迹(如覆盖Windows事件日志元数据)或破坏日志传输链路,系统性地遮蔽防御削弱行为的数字证据,使事后取证难以复原攻击链条。

Procedure Examples

ID Name Description
G0059 Magic Hound

Magic Hound has disabled LSA protection on compromised hosts using "reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f.[1]
S0603 Stuxnet

Stuxnet reduces the integrity level of objects to allow write actions.[2]

Mitigations

ID Mitigation Description
M1047 Audit

Routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.
M1038 Execution Prevention

Use application control where appropriate, especially regarding the execution of tools outside of the organization's security policies (such as rootkit removal tools) that have been abused to impair system defenses. Ensure that only approved security applications are used and running on enterprise systems.
M1022 Restrict File and Directory Permissions

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
M1024 Restrict Registry Permissions

Ensure proper Registry permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
M1054 Software Configuration

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.[3]
M1018 User Account Management

Ensure proper user permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

Detection

ID Data Source Data Component Detects
DS0025 Cloud Service Cloud Service Disable

Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[4] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[5] In Azure, monitor for az monitor diagnostic-settings delete.[6] Additionally, a sudden loss of a log source may indicate that it has been disabled.
Cloud Service Modification

Monitor changes made to cloud services for unexpected modifications to settings and/or data.
DS0017 Command Command Execution

Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
DS0027 Driver Driver Load

Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products.
DS0022 File File Deletion

Monitor for missing log files hosts and services with known active periods.
File Modification

Monitor changes made to configuration files that contain settings for logging and defensive tools.
DS0018 Firewall Firewall Disable

Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped).
Firewall Rule Modification

Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
DS0009 Process OS API Execution

Monitor for the abnormal execution of API functions associated with system logging.
Process Creation

Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
Process Modification

Using another process or third-party tools, monitor for modifications or access to system processes associated with logging.
Process Termination

Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.
DS0013 Sensor Health Host Status

Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious.
DS0019 Service Service Metadata

Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
DS0002 User Account User Account Modification

Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[7]
DS0024 Windows Registry Windows Registry Key Deletion

Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
Windows Registry Key Modification

Monitor Registry edits for modifications to services and startup programs that correspond to security tools.

References

  1. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  2. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  3. Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023.
  4. Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020.
  1. Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020.
  2. Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020.
  3. Mandiant. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved January 22, 2021.