NaorPenso
commented
1 year ago I believe that those would be 2 different techniques as they represent different risks. misconfiguration is a very common "false sense of security" issue where security have implemented mechanisms and are not aware to the fact that the default implementation or general configuration for them is still keeping the exposure valid, while disabling the measure would mean different level of permissions for the attacker (disabling implies administrative capabilities) as well as complete overcoming of the security control irrespective to its configuration.
I'll create a task in our bucket to make sure both of them are addressed; @6mile, feel free to create the technique for disabling security measures based on the template and I'd be happy to approve the pull request (if the contribution practices had been upheld)
vaq130
Under Defense Evasion one of the evasion techniques is "Misconfiguration of security measures". I believe this should be more like "disable security measures" or perhaps "disable or misconfigure security measures".
In my experience, it's much more common for attackers to totally disable a control like a GitHub Action, or endpoint detection than it is for them to do the more challenging thing which is to misconfigure it.