.svg)
.svg)
Indicator Blocking is a defense evasion technique that adversaries use to prevent security tools from detecting or reporting malicious activity by interfering with indicators of compromise (IOCs). Security solutions such as endpoint detection and response (EDR), antivirus software, and intrusion detection systems (IDS) rely on IOCs such as file hashes, network connections, domain names, and registry changes to identify and flag potential threats. By blocking these indicators from being generated, logged, or transmitted, attackers can evade detection and maintain persistence within a compromised environment.
In this blog post, we explain the T1562.006 Indicator Blocking technique of the MITRE ATT&CK® framework and explore how adversaries employ Indicator Blocking with real-world attack examples in detail.
|
|
|
What are Indicators of Compromise?
Indicators of Compromise (IOCs) are traces or signs that can be analyzed to detect and identify malicious activities within a computer network or system. System administrators and security professionals use them to recognize potential threats and respond promptly. Network traffic anomalies, file and memory artifacts, registry modifications, and endpoint anomalies are common indicators used by security operations to monitor an organization's IT infrastructure.
Adversary Use of Indicator Blocking
Adversaries obscure or obstruct various indicators that security professionals typically rely on to identify and respond to potential threats. This action allows them to remain undetected for as long as possible to maximize their access to the target network. The Indicator Blocking technique allows adversaries to disrupt security controls without disabling them. In Windows systems, adversaries use the following methods for indicator blocking:
-
Redirecting host-based sensors: Adversaries redirect the Windows Software Trace Preprocessor (WPP) logs to stdout.
|
wevtutil.exe enum-logs > "C:\ProgramData\EventLog.txt" |
-
Disabling host-based sensors: Adversaries disable Event Tracing for Windows (ETW).
|
wevtutil.exe /e:false Microsoft-Windows-WMI-Activity/Trace |
Another way to hinder security controls is to hook system functions to prevent users from viewing malicious artifacts, processes, and socket activities. In May 2024, Ebury rootkit was reported to use this technique in Operation Windigo for defense evasion and persistence [1]. Adversaries used modified symbolic links and hooked readdir, realpath, readlink, and their variant functions to their malicious libkeyutils.so appear to be pointing to the legitimate file. They also hooked stat, open, and their variant functions to hide the malicious file and users can only view the legitimate libkeyutils.so file.
|
//Before Ebury rootkit takes effect ls -la /lib/x86_64-linux-gnu/ | grep -F libkeyutils libkeyutils.so.1 → libkeyutils.so. 1. 10.2 libkeyutils.so. 1. 10 libkeyutils.so. 1.10.2 //After Ebury rootkit takes effect ls -la /lib/x86_64-linux-gnu/ | grep -F libkeyutils libkeyutils.so.1 → libkeyutils.so. 1. 10 libkeyutils.so.1.10 |
Ready to Simulate Real-World Threats from Red Report 2025?
References
[1] M.-E. M. Léveillé, "Ebury is alive but unseen: 400k Linux servers compromised for cryptotheft and financial gain." Available: https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-linux-servers-compromised-cryptotheft-financial-gain/
Share this:
