Indicator Blocking
May 1, 2024 ยท View on GitHub
| ID | F0006 |
| Objective(s) | Defense Evasion |
| Related ATT&CK Techniques | Impair Defenses: Indicator Blocking (T1562.006) |
| Version | 2.2 |
| Created | 1 August 2019 |
| Last Modified | 28 April 2024 |
Indicator Blocking
Malware blocks indicators or events that would indicate malicious activity. This is achieved by blocking indicators or alerts that would typically notify users or security tools of a potential infection. This can be done in several ways, such as disabling security software, interfering with event logging, or altering system settings to suppress notifications. By blocking these indicators, the malware can continue its malicious activities without being detected. Methods relevant to the malware domain are below.
See ATT&CK: Impair Defenses: Indicator Blocking (T1562.006).
Methods
| Name | ID | Description |
|---|---|---|
| Remove SMS Warning Messages | F0006.001 | Malware captures the message body of incoming SMS messages and aborts displaying messages that meets a certain criteria. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| BlackEnergy | 2007 | -- | The malware clears windows event logs and removes the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevent strings in the user32.dll.mui of the system. [1] |
| Conficker | 2008 | -- | The malware terminates various services related to system security and Windows and prevents network access to various websites related to antivirus software. [2] |
| DarkComet | 2008 | -- | The malware can disable security center functions like anti-virus and firewall. [3] |
| TrickBot | 2016 | -- | TrickBot terminates the following anti-malware services: Window Defender, MBamService (Malwarebytes), SAVService (Sophos AV). [4] |
Detection
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| tampers_powershell_logging | Indicator Blocking (F0006) | -- |
| stealth_hidden_extension | Indicator Blocking (F0006) | -- |
| stealth_hiddenreg | Indicator Blocking (F0006) | -- |
| stealth_hide_notifications | Indicator Blocking (F0006) | -- |
| creates_nullvalue | Indicator Blocking (F0006) | NtCreateKey, NtSetValueKey |
| tampers_etw | Indicator Blocking (F0006) | -- |
| disables_wer | Indicator Blocking (F0006) | -- |
References
[1] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[2] https://en.wikipedia.org/wiki/Conficker
[3] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[4] https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html