Dark Mode

Settings

Capec-571 Detail

Block Logging to Central Repository

Standard Communications Software Typical Severity: Low

Parents: 161

Threats: T68 T274 T297 T393

Description

An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.

Extended Description

In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server. In the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository.
External ID Source Link Description
CAPEC-571 capec https://capec.mitre.org/data/definitions/571.html
T1562.002 ATTACK https://attack.mitre.org/wiki/Technique/T1562/002 Impair Defenses: Disable Windows Event Logging
T1562.002 ATTACK https://attack.mitre.org/wiki/Technique/T1562/002 Impair Defenses: Impair Command History Logging
T1562.006 ATTACK https://attack.mitre.org/wiki/Technique/T1562/006 Impair Defenses: Indicator Blocking
T1562.008 ATTACK https://attack.mitre.org/wiki/Technique/T1562/008 Impair Defenses: Disable Cloud Logs

Not present

Not present

Not present

Not present

Not present

Not present

We use cookies to ensure you get the best experience on our website.