Attack.defense-Impairment

Attackers may delete secret scanning rules in Bitbucket to impair defenses and introduce secrets into the code repository undetected, potentially leading to unauthorized access or data breaches.

Detection of new Network ACL entries in AWS CloudTrail logs can indicate potential defense impairment or the opening of new attack vectors within an AWS account by an adversary.

An attacker may modify the Bitbucket audit log configuration to impair security monitoring and evade detection.

Detection of the disabling of GitHub secret scanning at the business or repository level, potentially increasing the risk of exposed credentials and secrets.

An unauthorized actor modifies an Azure Conditional Access policy, potentially leading to privilege escalation, credential access, persistence, or defense impairment.

An attacker may add a new root certificate authority to an Azure AD tenant to support certificate-based authentication for persistence, privilege escalation, or defense evasion.

An administrator has disabled the GitHub push protection feature, potentially allowing secrets and other sensitive information to be pushed to repositories.

An adversary with administrative privileges may delete global secret scanning rules in Bitbucket to impair defenses and exfiltrate sensitive data without detection.

An attacker may attempt to disable or bypass secret scanning on a Bitbucket repository to avoid detection of committed secrets, potentially leading to credential compromise and subsequent unauthorized access.

An adversary may impair defenses by adding a secret scanning allowlist rule for Bitbucket projects, potentially allowing secrets to be committed and exposed.

An attacker adds a user to a privileged Azure Active Directory group with permissions to modify Conditional Access policies, potentially leading to privilege escalation, credential access, persistence, and defense impairment.

An adversary may modify or delete Azure Network Firewall Policies to impair defenses and potentially impact network security.

Threat actors may delete Azure AD Hybrid Health AD FS service instances after using them to spoof AD FS signing logs for defense evasion.

Detection of AWS Config Service disabling, potentially indicating an attempt to impair defenses by stopping configuration recording and delivery.