catalog logoThe IAM Privilege Catalog

risks / Defense destruction

Description

Allows an attacker to disable or remove defense mechanism, such as IDS, antivirus, and the like. Note that other mechanisms may serve as defense mechanisms but are explicitly separate (see `destruction:logs` and `destruction:policy`)

Risk: EVASION

This risk allows an attacker to evade detection, allowing the attacker to exploit additional risks without detection, and prevent exploit remediation.

Mitigations

  1. Monitor defense system metrics

Links

  1. https:/​/​attack.mitre.org/​techniques/​T1562/​

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

apikeys.keys.update
appengine.applications.update
cloudkms.cryptoKeys.update
cloudsql.backupRuns.delete
cloudsql.instances.stopReplica
cloudsql.instances.update
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.packetMirrorings.delete
compute.packetMirrorings.update
container.backendConfigs.update
container.clusters.update
container.namespaces.finalize
container.namespaces.update
dns.managedZones.update
logging.exclusions.create
logging.exclusions.update
logging.notificationRules.delete
logging.notificationRules.update
logging.sinks.update
resourcemanager.projects.move
resourcemanager.projects.updateLiens
resourcemanager.tagholds.delete
run.services.update

Kubernetes

core/namespaces.finalize
core/namespaces.update
© 2023–present P0 Security and contributors to the IAM Privilege Catalog