Impair Defenses: Disable or Modify Tools T1562.001
Tactic: Stealth
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Events covered
18 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 158 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (107 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1117 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (132 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 14 rules
- macOS System Integrity Protection Modification Attempt
- macOS TCC Database Modification
- Microsoft Defender critical security components disabled (command)
- Microsoft Defender critical security components disabled (PowerShell)
- Microsoft Defender default action changed to allow any threat (command)
- Microsoft Defender default action changed to allow any threat (PowerShell)
- Microsoft Defender real time protection failure (native)
- Microsoft Defender security components disabled (command)
- Microsoft Defender security components disabled (PowerShell)
- Microsoft Defender service components status disabled (Registry via Sysmon)
- Microsoft Defender service deactivation attempt (command)
- Microsoft Defender threat exclusion added (native)
- Microsoft Defender threat exclusion added (PowerShell)
- SIGKILL Sent to Security Tools
Elastic 82 rules
- AppArmor Policy Interface Access
- AppArmor Policy Violation Detected
- AppArmor Profile Compilation via apparmor_parser
- Application Removed from Blocklist in Google Workspace
- Attempt to Clear Kernel Ring Buffer
- Attempt to Clear Logs via Journalctl
- Attempt to Disable Auditd Service
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- AWS Bedrock Automated Reasoning Safety Policy Tampering
- AWS Bedrock Guardrail Deleted or Weakened
- AWS CloudTrail Log Deleted
- AWS CloudTrail Log Suspended
- AWS CloudWatch Alarm Deletion
- AWS CloudWatch Log Group Deletion
- AWS CloudWatch Log Stream Deletion
- AWS Config Resource Deletion
- AWS Configuration Recorder Stopped
- AWS EC2 Serial Console Access Enabled
- AWS EventBridge Rule Disabled or Deleted
- AWS GuardDuty Detector Deletion
- AWS GuardDuty Member Account Manipulation
- AWS S3 Bucket Configuration Deletion
- Azure Diagnostic Settings Alert Suppression Rule Created or Modified
- Azure Diagnostic Settings Deleted
- Azure Kubernetes Services (AKS) Kubernetes Events Deleted
- Azure Resource Group Deleted
- Azure VNet Network Watcher Deleted
- BPF filter applied using TC
- BPF Program Tampering via bpftool
- Deprecated - M365 Exchange DLP Policy Deleted
- Disabling Lsa Protection via Registry Modification
- Disabling User Account Control via Registry Modification
- Disabling Windows Defender Security Settings via PowerShell
- DNS Global Query Block List Modified or Disabled
- Elastic Agent Service Terminated
- Elastic Defend Alert Followed by Telemetry Loss
- Gatekeeper Override and Execution
- GitHub App Deleted
- GitHub Protected Branch Settings Changed
- GitHub Secret Scanning Disabled
- Google Workspace Bitlocker Setting Disabled
- Google Workspace Restrictions for Marketplace Modified to Allow Any App
- High Number of Process and/or Service Terminations
- High Number of Process Terminations
- Kernel Module Removal
- Kill Command Execution
- M365 Exchange Anti-Phish Policy Deleted
- M365 Exchange Anti-Phish Rule Modification
- M365 Exchange DKIM Signing Configuration Disabled
- M365 Exchange Email Safe Attachment Rule Disabled
- M365 Exchange Email Safe Link Policy Disabled
- M365 Exchange Mail Flow Transport Rule Modified
- M365 Exchange Mailbox Audit Logging Bypass Added
- M365 Exchange Malware Filter Policy Deleted
- M365 Exchange Malware Filter Rule Modified
- M365 Security Compliance Admin Signal
- M365 SharePoint Site Sharing Policy Weakened
- Microsoft Windows Defender Tampering
- Modification of AmsiEnable Registry Key
- Modification of Safari Settings via Defaults Command
- Potential Antimalware Scan Interface Bypass via PowerShell
- Potential Disabling of AppArmor
- Potential Disabling of SELinux
- Potential Evasion via Filter Manager
- Potential Evasion via Windows Filtering Platform
- Potential Privacy Control Bypass via TCCDB Modification
- PowerShell Script with Windows Defender Tampering Capabilities
- Quarantine Attrib Removed by Unsigned or Untrusted Process
- Scheduled Tasks AT Command Enabled
- SELinux Configuration Creation or Renaming
- Service Disabled via Registry Modification
- SoftwareUpdate Preferences Modification
- SolarWinds Process Disabling Services via Registry
- Suspicious Antimalware Scan Interface DLL
- Suspicious Kernel Feature Activity
- Suspicious Write Attempt to AppArmor Policy Management Files
- Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners
- WDAC Policy File by an Unusual Process
- Windows Defender Disabled via Registry Modification
- Windows Defender Exclusions Added via PowerShell
Splunk 15 rules
- Defender Registry Values Modified (Sysmon)
- Defender Registry Values Modified (Windows Event Log)
- Modify Windows Defender (EDR)
- Modify Windows Defender (PowerShell)
- Modify Windows Defender (Sysmon)
- Modify Windows Defender (Windows Event Log)
- Service Stop Commands (PowerShell)
- Service Stop Commands (Sysmon)
- Service Stop Commands (Windows Event Log)
- Windows - Service Stop (PowerShell)
- Windows - Service Stop (Windows Event Log)
- Windows Defender Disabled Detection (EDR)
- Windows Defender Disabled Detection (PowerShell)
- Windows Defender Disabled Detection (Sysmon)
- Windows Defender Disabled Detection (Windows Event Log)
Kusto 12 rules
- AWSCloudTrail - Amazon ECR image scanning disabled
- Copilot - File Uploads Disabled
- Deleted a Custom Field Mapping profile
- Deleted a Tenant
- Disable or Modify Windows Defender
- GCP Audit Logs - Detect Bulk VM Snapshot Deletion
- GCP Audit Logs - Detect Organization Policy Deletion or Updation
- GCP Audit Logs - DNSSEC Disabled on Managed DNS Zone
- GCP Audit Logs - Open Firewall Rule Created or Modified
- GCP Audit Logs - VPC Flow Logs Disabled
- GCP Security Command Center - Detect DNSSEC disabled for DNS zones
- Starting or Stopping HealthService to Avoid Detection
YARA-L 10 rules
- GitHub Dependabot Vulnerability Alerts Disabled
- GitHub Personal Access Token Auto Approve Policy Modified
- GitHub Repository Branch Protection Rules Disabled
- GitHub Secret Scanning Disabled Or Bypassed
- GitHub SSO Configuration Modified
- GitHub Two-Factor Authentication Requirement Disabled
- Google Workspace Marketplace Allowlist Configuration
- Reg Add Suspicious Paths
- sap hanadb deactivation of audit trail
- sap system or client configuration change
Panther 25 rules
- Anthropic IP Restriction Deleted
- Anthropic SSO Disabled
- AWS Bedrock Guardrail Updated or Deleted
- Azure Network Watcher Deleted
- Azure Resource Lock Deleted
- Azure Storage Immutability Policy Deleted
- GitHub Advanced Security Change WITHOUT Repo Archived
- Kubernetes Role With Node Proxy Permissions Created
- MongoDB security alerts disabled or deleted
- OpenAI IP Allowlist Configuration Changes
- OpenAI SCIM Configuration Change
- Slack DLP Modified
- Slack Information Barrier Modified
- Slack Legal Hold Policy Modified
- Slack Microsoft Intune Mobile Device Management Disabled
- Sublime Mailbox Deactivated
- Sublime Message Source Deleted Or Deactivated
- Sublime Rules Deleted Or Deactivated
- Wiz CICD Scan Policy Updated Or Deleted
- Wiz Connector Updated Or Deleted
- Wiz Data Classifier Updated Or Deleted
- Wiz Image Integrity Validator Updated Or Deleted
- Wiz Integration Updated Or Deleted
- Wiz Rule Change
- Wiz Update Scanner Settings