CAPEC-571: Block Logging to Central Repository

Description

<p>An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.<p>

Extended Description

In the case of network based reporting of indicators, an adversary may block traffic associated with reporting to prevent central station analysis. This may be accomplished by many means such as stopping a local process to creating a host-based firewall rule to block traffic to a specific server.

In the case of local based reporting of indicators, an adversary may block delivery of locally-generated log files themselves to the central repository.

Severity :

Low

Possibility :

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-161: Infrastructure Manipulation Infrastructure Manipulation

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Impair Defenses: Disable Windows Event Logging ATTACK | Impair Defenses: Impair Command History Logging ATTACK | Impair Defenses: Indicator Blocking ATTACK | Impair Defenses: Disable Cloud Logs

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

Visit http://capec.mitre.org/ for more details.