Indicator Blocking
An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry. These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations. In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
- Understand the behaviour - read the description and the Atomic Tests to see exactly what the attacker does on a host or network.
- Find the telemetry - what data source would reveal it (process creation, registry, network flow, auth logs). Detection Coverage shows which surfaces already have a rule and which are blind.
- Get or write the detection - adapt ready logic (CAR Analytics, SIEM Detections, Falco, or Sigma via Generate a SIEM detection), or author your own.
- Test it - run an Atomic Test in a lab and confirm your rule actually fires. A detection you have not tested is a hope, not coverage.
- Deploy and tune - push it, then watch for false positives and adjust.