Alert Pack: Impair Defenses (MITRE Att&ck Technique: T1562)

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

This alert pack helps your SOC teams signature-based detections by combining our various detections that protect against an adversary that has infiltrated your system and it is trying to remove barriers for other adversaries.

This alert will help your SOC know what the attacker is attempting as they attempt it and provide the necessary information so that the SOC can stop and remediate and remediate any damage caused before it is too late.

Security Operations application SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.
SecOpsLinuxPotentialDisableSELinux	SecOpsGCPLoggingSinkDeletion	SecOpsAWSLoggingConfigurationChangeObservedStopLogging
SecOpsAzureFWPolicyDeletion	SecOpsGCPLoggingBucketDeletion	SecOpsAWSNetworkAccessControlListDeleted
SecOpsAzureFrontDoorWafPolicyDeletion	SecOpsGCPGCEFirewallRuleCreation	SecOpsAWSOpenNetworkACLs
SecOpsAzureDevOpsAuditDisabled	SecOpsGCPGCEFirewallRuleDeletion	SecOpsAWSLoggingConfigurationChangeObservedRemoveTags
SecOpsGCPPubSubTopicDeletion	SecOpsO365MailboxAuditBypass	SecOpsWinDisableAntispywareRegistry
SecOpsGCPGCEFirewallRuleModification	SecOpsO365BypassMFAviaIP	SecOpsWinCritServiceStopped
SecOpsGCPPubSubSubscriptionDeletion	SecOpsAWSLoggingConfigurationChangeObservedDeleteTrail

What is to Impair Defenses?

Adversaries may maliciously modify components of a victim’s environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus but also detection capabilities that can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

cloud.azure.activity.events ^{learn more}
cloud.office365.management ^{learn more}
cloud.azure.vm.unknown_events^{learn more}
cloud.office365.management.exchange ^{learn more}
box.unix ^{learn more}
cloud.aws.cloudtrail ^{learn more}
cloud.gcp ^{learn more}
box.all.win ^{learn more}
cloud.azure.eh.events ^{learn more}

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.