EXPLORE
Sign In
← Back to Explore
T1562.006

Indicator Blocking

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in conf...

WindowsmacOSLinuxESXi
16
Detections
3
Sources
2
Threat Actors

BY SOURCE

7elastic7sigma2splunk_escu

PROCEDURES (10)

Cloud Monitoring3 detections

Auto-extracted: 3 detections for cloud monitoring

Persist2 detections

Auto-extracted: 2 detections for persist

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Powershell1 detections

Auto-extracted: 1 detections for powershell

Service1 detections

Auto-extracted: 1 detections for service

Amsi1 detections

Auto-extracted: 1 detections for amsi

Amsi1 detections

Auto-extracted: 1 detections for amsi

THREAT ACTORS (2)

APT41APT5

DETECTIONS (16)

AMSI Disabled via Registry Modification
sigmahigh
Auditing Configuration Changes on Linux Host
sigmahigh
AWS CloudWatch Alarm Deletion
elasticmedium
Disable of ETW Trace - Powershell
sigmahigh
Disable Windows Event and Security Logs Using Built-in Tools
elasticlow
ETW Registry Disabled
splunk_escu
ETW Trace Evasion Activity
sigmahigh
Kill Command Execution
elasticlow
Logging Configuration Changes on Linux Host
sigmahigh
Okta User Session Start Via An Anonymising Proxy Service
sigmahigh
Sensitive Audit Policy Sub-Category Disabled
elasticmedium
Suspicious Kernel Feature Activity
elasticmedium
Windows AMSI Related Registry Tampering Via CommandLine
sigmahigh
Windows Defender Disabled via Registry Modification
elasticlow
Windows Defender Exclusions Added via PowerShell
elasticmedium
Windows Registry Dotnet ETW Disabled Via ENV Variable
splunk_escu