ID | Data Source | Data Component | Detects |
DS0025 | Cloud Service | Cloud Service Disable | Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[5] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[6] In Azure, monitor for az monitor diagnostic-settings delete.[7] Additionally, a sudden loss of a log source may indicate that it has been disabled. |
|
| Cloud Service Modification | Monitor changes made to cloud services for unexpected modifications to settings and/or data. |
DS0017 | Command | Command Execution | Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
DS0027 | Driver | Driver Load | Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. |
DS0022 | File | File Deletion | Monitor for missing log files hosts and services with known active periods. |
|
| File Modification | Monitor changes made to configuration files that contain settings for logging and defensive tools. |
DS0018 | Firewall | Firewall Disable | Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). |
|
| Firewall Rule Modification | Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
DS0009 | Process | OS API Execution | Monitor for the abnormal execution of API functions associated with system logging. |
|
| Process Creation | Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
| Process Modification | Using another process or third-party tools, monitor for modifications or access to system processes associated with logging. |
|
| Process Termination | Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
DS0012 | Script | Script Execution | Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
DS0013 | Sensor Health | Host Status | Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious. |
DS0019 | Service | Service Metadata | Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
DS0002 | User Account | User Account Modification | Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[8] |
DS0024 | Windows Registry | Windows Registry Key Deletion | Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. |
|
| Windows Registry Key Modification | Monitor Registry edits for modifications to services and startup programs that correspond to security tools. |