Impair Defenses `T1562`

Tactic: Stealth

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Events covered

37 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Sysmon	Event ID 5	Process terminated
Sysmon	Event ID 12	RegistryEvent (Object create and delete)
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 14	RegistryEvent (Key and Value Rename)
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4656	A handle to an object was requested.
Security-Auditing	Event ID 4657	A registry value was modified.
Security-Auditing	Event ID 4660	An object was deleted.
Security-Auditing	Event ID 4663	An attempt was made to access an object.
Security-Auditing	Event ID 4670	Permissions on an object were changed.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 4689	A process has exited.
Security-Auditing	Event ID 4719	System audit policy was changed.
Security-Auditing	Event ID 4738	A user account was changed.
Security-Auditing	Event ID 4950	A Windows Firewall setting has changed.
Security-Auditing	Event ID 5123	A configuration entry changed in the OCSP Responder Service.
Security-Auditing	Event ID 5152	The Windows Filtering Platform blocked a packet.
Security-Auditing	Event ID 5157	The Windows Filtering Platform has blocked a connection.
Security-Auditing	Event ID 5447	A Windows Filtering Platform filter has been changed.
Security-Auditing	Event ID 5448	A Windows Filtering Platform provider has been changed.
Defender-DeviceProcessEvents	any	Process activity (any)
Defender-DeviceRegistryEvents	RegistryKeyDeleted	Registry key deleted
Defender-DeviceRegistryEvents	RegistryValueSet	Registry value set
Defender-DeviceRegistryEvents	RegistryValueDeleted	Registry value deleted
Defender-DeviceRegistryEvents	RegistryKeyRenamed	Registry key renamed
ESF	exec	Process Execution (Notify)
MSSQLSERVER	Event ID 33205	Event ID 33205
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Defender	Event ID 3002	ProductName Real-Time Protection feature has encountered an error and failed.
Windows-Defender	Event ID 5007	Product Name Configuration has changed.
Windows-Firewall-With-Advanced-Security	Event ID 2003	A Windows Defender Firewall setting in the Profiles profile has changed.
Windows-Firewall-With-Advanced-Security	Event ID 2004	A rule has been added to the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-Security	Event ID 2005	A rule has been modified in the Windows Defender Firewall exception list.
PowerShell	Event ID 800	Event ID 800

Authoring guide

Patterns shared across the 468 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (306 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`EventType`	107	`eq` 60, `in` 33, `wildcard` 11, `ne` 5, `ends_with` 3	`exec`, `ProcessRollup2`, `exec_event`, `deletion`, `CHANGE_APPLICATION_SETTING`
`data_stream.dataset`	80	`eq` 80	`aws.cloudtrail`, `o365.audit`, `gcp.audit`, `okta.system`, `azure.activitylogs`
`event.outcome`	60	`eq` 53, `in` 7	`success`, `Success`
`EventID`	55	`eq` 52, `regex_match` 3, `in` 1	`4688`, `4104`, `1`, `4103`, `4656`
`event.type`	50	`eq` 44, `in` 5, `ne` 1	`start`, `change`, `process_started`, `deletion`, `creation`
`aws::eventName`	47	`eq` 28, `in` 21	`DeleteTrail`, `AuthorizeSecurityGroupEgress`, `AuthorizeSecurityGroupIngress`, `CreateNetworkAclEntry`, `DeleteFlowLogs`
`Provider_Name`	45	`eq` 41, `in` 4	`Exchange`, `ec2.amazonaws.com`, `cloudtrail.amazonaws.com`, `bedrock.amazonaws.com`, `MicrosoftTeams`
`process_name`	39	`eq` 28, `in` 7, `match` 3, `starts_with` 2, `is_not_null` 1, `regex_match` 1, `wildcard` 1	`chkconfig`, `powershell.exe`, `powershell_ise.exe`, `pwsh.exe`, `(?i)cmd\|powershell\|netsh\|net1?\|sc.exe\|reg.exe`
`process.args`	29	`eq` 19, `in` 7, `wildcard` 5, `contains` 3, `starts_with` 3	`disable`, `-c`, `advfirewall`, `firewall`, `*.EndpointSecurity`
`host.os.type`	27	`eq` 26, `in` 1
`event.category`	25	`eq` 22, `in` 3	`web`, `process`, `iam`, `BACKUP_AND_RESTORE`, `configuration`
`aws::eventSource`	24	`eq` 21, `in` 1, `ne` 1, `wildcard` 1	`cloudtrail.amazonaws.com`, `s3.amazonaws.com`, `rds.amazonaws.com`, `bedrock.amazonaws.com`, `apigateway.amazonaws.com`
`CommandLine`	22	`contains` 21, `starts_with` 2, `regex_match` 1	`advfirewall`, `firewall`, `-enc`, `a`, `d`
`DataSource`	20	`eq` 20	`ABAP_CHANGES`, `CHANGEDOC_GENERIC`, `CHANGEDOC_SECURITY_P`, `CHANGEDOC_USOBT_C`, `CHANGEDOC_USOBX_C`
`Details`	20	`eq` 14, `contains` 4, `in` 2, `is_not_null` 2	`0x00000000`, `0x00000001`, `0`, `1`, `0x00000004`

Top indicator values (2027 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.outcome`	`eq`	`success` elasticAWS Bedrock Automated Reasoning Safety Policy Tampering elasticAWS Bedrock Guardrail Deleted or Weakened elasticAWS Bedrock Model Invocation Logging Disabled or Modified elasticAWS CloudTrail Log Created elasticAWS CloudTrail Log Deleted elasticAWS CloudTrail Log Evasion elasticAWS CloudTrail Log Suspended elasticAWS CloudTrail Log Updated elasticAWS CloudWatch Alarm Deletion elasticAWS CloudWatch Log Group Deletion elasticAWS CloudWatch Log Stream Deletion elasticAWS Config Resource Deletion elasticAWS Configuration Recorder Stopped elasticAWS EC2 Network Access Control List Creation elasticAWS EC2 Network Access Control List Deletion elasticAWS EC2 Security Group Configuration Change elasticAWS EC2 Serial Console Access Enabled elasticAWS EKS Control Plane Logging Disabled elasticAWS EventBridge Rule Disabled or Deleted elasticAWS GuardDuty Detector Deletion elasticAWS GuardDuty Member Account Manipulation elasticAWS KMS Key Policy Updated via PutKeyPolicy elasticAWS Route 53 Domain Transfer Lock Disabled elasticAWS Route 53 Resolver Query Log Configuration Deleted elasticAWS S3 Bucket Configuration Deletion elasticAWS S3 Bucket Expiration Lifecycle Configuration Added elasticAWS S3 Bucket Server Access Logging Disabled elasticAWS SQS Queue Purge elasticAWS VPC Flow Logs Deletion elasticAWS WAF Access Control List Deletion elasticAWS WAF Rule or Rule Group Deletion elasticAzure Diagnostic Settings Alert Suppression Rule Created or Modified elasticDeprecated - M365 Exchange DLP Policy Deleted elasticDeprecated - M365 Teams External Access Enabled elasticGCP Logging Bucket Deletion elasticGCP Logging Sink Deletion elasticGCP Logging Sink Modification elasticGCP Pub/Sub Subscription Deletion elasticGCP Pub/Sub Topic Deletion elasticGCP Virtual Private Cloud Network Deletion elasticGCP Virtual Private Cloud Route Deletion elasticInsecure AWS EC2 VPC Security Group Ingress Rule Added elasticM365 Exchange Anti-Phish Policy Deleted elasticM365 Exchange Anti-Phish Rule Modification elasticM365 Exchange DKIM Signing Configuration Disabled elasticM365 Exchange Email Safe Attachment Rule Disabled elasticM365 Exchange Email Safe Link Policy Disabled elasticM365 Exchange Mail Flow Transport Rule Modified elasticM365 Exchange Mailbox Audit Logging Bypass Added elasticM365 Exchange Malware Filter Policy Deleted elasticM365 Exchange Malware Filter Rule Modified elasticM365 SharePoint Site Sharing Policy Weakened elasticM365 Teams Custom Application Interaction Enabled	53	251
`data_stream.dataset`	`eq`	`aws.cloudtrail` elasticAWS Bedrock Automated Reasoning Safety Policy Tampering elasticAWS Bedrock Guardrail Deleted or Weakened elasticAWS Bedrock Model Invocation Logging Disabled or Modified elasticAWS CloudTrail Log Created elasticAWS CloudTrail Log Deleted elasticAWS CloudTrail Log Evasion elasticAWS CloudTrail Log Suspended elasticAWS CloudTrail Log Updated elasticAWS CloudWatch Alarm Deletion elasticAWS CloudWatch Log Group Deletion elasticAWS CloudWatch Log Stream Deletion elasticAWS Config Resource Deletion elasticAWS Configuration Recorder Stopped elasticAWS EC2 Network Access Control List Creation elasticAWS EC2 Network Access Control List Deletion elasticAWS EC2 Security Group Configuration Change elasticAWS EC2 Serial Console Access Enabled elasticAWS EKS Control Plane Logging Disabled elasticAWS EventBridge Rule Disabled or Deleted elasticAWS GuardDuty Detector Deletion elasticAWS GuardDuty Member Account Manipulation elasticAWS Route 53 Domain Transfer Lock Disabled elasticAWS Route 53 Resolver Query Log Configuration Deleted elasticAWS S3 Bucket Configuration Deletion elasticAWS S3 Bucket Expiration Lifecycle Configuration Added elasticAWS S3 Bucket Server Access Logging Disabled elasticAWS SQS Queue Purge elasticAWS VPC Flow Logs Deletion elasticAWS WAF Access Control List Deletion elasticAWS WAF Rule or Rule Group Deletion elasticInsecure AWS EC2 VPC Security Group Ingress Rule Added	31	141
`data_stream.dataset`	`eq`	`o365.audit` elasticDeprecated - M365 Exchange DLP Policy Deleted elasticDeprecated - M365 Teams External Access Enabled elasticM365 Exchange Anti-Phish Policy Deleted elasticM365 Exchange Anti-Phish Rule Modification elasticM365 Exchange DKIM Signing Configuration Disabled elasticM365 Exchange Email Safe Attachment Rule Disabled elasticM365 Exchange Email Safe Link Policy Disabled elasticM365 Exchange Mail Flow Transport Rule Modified elasticM365 Exchange Mailbox Audit Logging Bypass Added elasticM365 Exchange Malware Filter Policy Deleted elasticM365 Exchange Malware Filter Rule Modified elasticM365 SharePoint Site Sharing Policy Weakened elasticM365 Teams Custom Application Interaction Enabled	13	45
`data_stream.dataset`	`eq`	`gcp.audit` elasticGCP Firewall Rule Creation elasticGCP Firewall Rule Deletion elasticGCP Firewall Rule Modification elasticGCP Logging Bucket Deletion elasticGCP Logging Sink Deletion elasticGCP Logging Sink Modification elasticGCP Pub/Sub Subscription Deletion elasticGCP Pub/Sub Topic Deletion elasticGCP Virtual Private Cloud Network Deletion elasticGCP Virtual Private Cloud Route Creation elasticGCP Virtual Private Cloud Route Deletion	11	23
`data_stream.dataset`	`eq`	`okta.system` elasticAttempt to Deactivate an Okta Network Zone elasticAttempt to Deactivate an Okta Policy elasticAttempt to Deactivate an Okta Policy Rule elasticAttempt to Delete an Okta Network Zone elasticAttempt to Delete an Okta Policy elasticAttempt to Delete an Okta Policy Rule elasticAttempt to Modify an Okta Network Zone elasticAttempt to Modify an Okta Policy elasticAttempt to Modify an Okta Policy Rule	9	48
`data_stream.dataset`	`eq`	`azure.activitylogs` elasticAzure Diagnostic Settings Alert Suppression Rule Created or Modified elasticAzure Diagnostic Settings Deleted elasticAzure Event Hub Deleted elasticAzure Kubernetes Services (AKS) Kubernetes Events Deleted elasticAzure Resource Group Deleted elasticAzure VNet Firewall Front Door WAF Policy Deleted elasticAzure VNet Firewall Policy Deleted elasticAzure VNet Network Watcher Deleted	8	34
`event.type`	`eq`	`start` elasticAppArmor Profile Compilation via apparmor_parser elasticAttempt to Clear Kernel Ring Buffer elasticAttempt to Clear Logs via Journalctl elasticAttempt to Disable Auditd Service elasticAttempt to Disable IPTables or Firewall elasticAttempt to Disable Syslog Service elasticBPF filter applied using TC elasticBPF Program Tampering via bpftool elasticClearing Windows Event Logs elasticDisable Windows Event and Security Logs Using Built-in Tools elasticDisable Windows Firewall Rules via Netsh elasticDisabling Windows Defender Security Settings via PowerShell elasticElastic Agent Service Terminated elasticEnable Host Network Discovery via Netsh elasticHigh Number of Process and/or Service Terminations elasticHigh Number of Process Terminations elasticIIS HTTP Logging Disabled elasticKernel Module Removal elasticKill Command Execution elasticPotential Disabling of AppArmor elasticPotential Disabling of SELinux elasticPotential Evasion via Filter Manager elasticRemote Desktop Enabled in Windows Firewall by Netsh elasticSuspicious Kernel Feature Activity elasticSuspicious Write Attempt to AppArmor Policy Management Files elasticTampering with RUNNER_TRACKING_ID in GitHub Actions Runners elasticWindows Defender Exclusions Added via PowerShell elasticWindows Firewall Disabled via PowerShell	28	606
`event.type`	`eq`	`change` elasticAppArmor Policy Violation Detected elasticApplication Removed from Blocklist in Google Workspace elasticDisabling Lsa Protection via Registry Modification elasticDisabling User Account Control via Registry Modification elasticDNS Global Query Block List Modified or Disabled elasticDNS-over-HTTPS Enabled via Registry elasticGitHub Protected Branch Settings Changed elasticGitHub Secret Scanning Disabled elasticLocal Account TokenFilter Policy Disabled elasticMicrosoft Windows Defender Tampering elasticPowerShell Script Block Logging Disabled elasticScheduled Tasks AT Command Enabled elasticService Disabled via Registry Modification elasticSolarWinds Process Disabling Services via Registry elasticWindows Defender Disabled via Registry Modification	15	77
`security_result.action`	`eq`	`ALLOW` chronicleAWS CloudTrail Logging Tampered chronicleAWS Config Service Modified chronicleAWS Delete CloudWatch Log Group chronicleAWS Delete VPC Flow Logs chronicleAWS GuardDuty Disabled chronicleAWS GuardDuty Publishing Destination Deleted chronicleAWS GuardDuty Trusted Or Threat IP Lists Tampered chronicleAWS IAM Access Analyzer Deleted chronicleAWS S3 Bucket Made Public By ACL chronicleAWS S3 Public Access Block Removed chronicleAWS Security Group Open To The World chronicleGCP BigQuery Datasets Opened To Public chronicleGCP Cloud Audit Logging Removed From All Services chronicleGCP Exempt Principals From Audit Log chronicleGCP Firewall Rule Opened To The World chronicleGCP Security Command Center Service Disabled chronicleGCP Storage Bucket Opened To Public	17	102
`data.type`	`eq`	`sapi` sigmaAttack protection features manipulation - some attack protection features have been disabled. sigmaBot detection - the feature is turned off completely or some policies. sigmaBreached Password Detection - critical settings manipulated sigmaBrute Force Protection - critical settings manipulated sigmaInsecure OAuth2.x flows have been enabled for some applications sigmaLoaded LiquidJS error page template contains XSS vulnerabilities sigmaMFA downgrade - adaptive MFA risk assessment disabled sigmaMFA downgrade - disable MFA policies by modifying the policies sigmaMFA downgrade - disable strong factors sigmaSuspicious IP Throttling - critical settings manipulated sigmaUnauthorized or Unexpected Enabling of Cross-Origin Authentication (CORS) sigmaUnrecognized IP in attack protection allowlists pantherAuth0 Attack Protection Monitoring Disabled pantherAuth0 Bot Detection Policy Disabled	14	18
`EventType`	`in`	`exec` elasticAppArmor Profile Compilation via apparmor_parser elasticAttempt to Clear Kernel Ring Buffer elasticAttempt to Clear Logs via Journalctl elasticAttempt to Disable Auditd Service elasticAttempt to Disable IPTables or Firewall elasticAttempt to Disable Syslog Service elasticBPF filter applied using TC elasticBPF Program Tampering via bpftool elasticKernel Module Removal elasticPotential Disabling of AppArmor elasticPotential Disabling of SELinux elasticSuspicious Kernel Feature Activity elasticSuspicious Write Attempt to AppArmor Policy Management Files	13	171
`EventType`	`in`	`ProcessRollup2` elasticAppArmor Profile Compilation via apparmor_parser elasticAttempt to Clear Kernel Ring Buffer elasticAttempt to Clear Logs via Journalctl elasticAttempt to Disable Auditd Service elasticAttempt to Disable Syslog Service elasticBPF filter applied using TC elasticBPF Program Tampering via bpftool elasticKernel Module Removal elasticPotential Disabling of AppArmor elasticPotential Disabling of SELinux elasticSuspicious Kernel Feature Activity elasticSuspicious Write Attempt to AppArmor Policy Management Files	12	117
`EventType`	`in`	`exec_event` elasticAppArmor Profile Compilation via apparmor_parser elasticAttempt to Clear Kernel Ring Buffer elasticAttempt to Clear Logs via Journalctl elasticAttempt to Disable Auditd Service elasticAttempt to Disable IPTables or Firewall elasticAttempt to Disable Syslog Service elasticBPF filter applied using TC elasticBPF Program Tampering via bpftool elasticKernel Module Removal elasticPotential Disabling of AppArmor elasticPotential Disabling of SELinux elasticSuspicious Write Attempt to AppArmor Policy Management Files	12	139
`EventType`	`in`	`start` elasticAppArmor Profile Compilation via apparmor_parser elasticAttempt to Clear Kernel Ring Buffer elasticAttempt to Clear Logs via Journalctl elasticAttempt to Disable Auditd Service elasticAttempt to Disable IPTables or Firewall elasticAttempt to Disable Syslog Service elasticBPF filter applied using TC elasticBPF Program Tampering via bpftool elasticKernel Module Removal elasticPotential Disabling of AppArmor elasticPotential Disabling of SELinux elasticSuspicious Write Attempt to AppArmor Policy Management Files	12	134
`EventType`	`in`	`executed` elasticAppArmor Profile Compilation via apparmor_parser elasticAttempt to Clear Kernel Ring Buffer elasticAttempt to Clear Logs via Journalctl elasticBPF filter applied using TC elasticBPF Program Tampering via bpftool elasticPotential Disabling of AppArmor elasticPotential Disabling of SELinux	7	88
`EventType`	`in`	`process_started` elasticAppArmor Profile Compilation via apparmor_parser elasticAttempt to Clear Kernel Ring Buffer elasticAttempt to Clear Logs via Journalctl elasticBPF filter applied using TC elasticBPF Program Tampering via bpftool elasticPotential Disabling of AppArmor elasticPotential Disabling of SELinux	7	74
`resultType`	`in`	`Succeeded` pantherAzure Action Groups Deleted pantherAzure Alert Rules Deleted pantherAzure Alert Suppression Rule Created or Modified pantherAzure Diagnostic Settings Deleted pantherAzure Event Hub Deleted pantherAzure Firewall Policy Deleted pantherAzure Log Analytics Workspace Deleted pantherAzure Network Security Configuration Modified or Deleted pantherAzure Network Watcher Deleted pantherAzure Recovery Services Protection Container Deleted pantherAzure Resource Lock Deleted pantherAzure Storage Immutability Policy Deleted	12	51
`resultType`	`in`	`Success` pantherAzure Action Groups Deleted pantherAzure Alert Rules Deleted pantherAzure Alert Suppression Rule Created or Modified pantherAzure Diagnostic Settings Deleted pantherAzure Event Hub Deleted pantherAzure Firewall Policy Deleted pantherAzure Log Analytics Workspace Deleted pantherAzure Network Security Configuration Modified or Deleted pantherAzure Network Watcher Deleted pantherAzure Recovery Services Protection Container Deleted pantherAzure Resource Lock Deleted pantherAzure Storage Immutability Policy Deleted	12	51
`event.category`	`eq`	`web` elasticDeprecated - M365 Exchange DLP Policy Deleted elasticDeprecated - M365 Teams External Access Enabled elasticM365 Exchange Anti-Phish Policy Deleted elasticM365 Exchange Anti-Phish Rule Modification elasticM365 Exchange DKIM Signing Configuration Disabled elasticM365 Exchange Email Safe Attachment Rule Disabled elasticM365 Exchange Email Safe Link Policy Disabled elasticM365 Exchange Mail Flow Transport Rule Modified elasticM365 Exchange Malware Filter Policy Deleted elasticM365 Exchange Malware Filter Rule Modified elasticM365 Teams Custom Application Interaction Enabled	11	20
`Provider_Name`	`eq`	`Exchange` elasticDeprecated - M365 Exchange DLP Policy Deleted elasticM365 Exchange Anti-Phish Policy Deleted elasticM365 Exchange Anti-Phish Rule Modification elasticM365 Exchange DKIM Signing Configuration Disabled elasticM365 Exchange Email Safe Attachment Rule Disabled elasticM365 Exchange Email Safe Link Policy Disabled elasticM365 Exchange Mail Flow Transport Rule Modified elasticM365 Exchange Mailbox Audit Logging Bypass Added elasticM365 Exchange Malware Filter Policy Deleted elasticM365 Exchange Malware Filter Rule Modified	10	19
`Provider_Name`	`eq`	`ec2.amazonaws.com` elasticAWS EC2 Network Access Control List Creation elasticAWS EC2 Network Access Control List Deletion elasticAWS EC2 Security Group Configuration Change elasticAWS EC2 Serial Console Access Enabled elasticAWS VPC Flow Logs Deletion elasticInsecure AWS EC2 VPC Security Group Ingress Rule Added	6	19
`EventID`	`eq`	`4688` splunkDefender Registry Values Modified (Windows Event Log) splunkModify Windows Defender (Windows Event Log) splunkService Stop Commands (Windows Event Log) splunkWindows - Service Stop (Windows Event Log) splunkWindows Defender Disabled Detection (Windows Event Log) splunkWindows Firewall Disabled (Windows Event Log) splunkWindows Firewall Rule Creation (Windows Event Log) kustoDev-0270 Malicious Powershell usage kustoSecurity Service Registry ACL Modification	9	313
`EventID`	`eq`	`4104` splunkETW Trace Provider Modified - PowerShell (PowerShell) splunkModify Windows Defender (PowerShell) splunkWindows - Service Stop (PowerShell) splunkWindows Defender Disabled Detection (PowerShell) splunkWindows Firewall Disabled (PowerShell) splunkWindows Firewall Rule Creation (PowerShell)	6	268
`aws::eventSource`	`eq`	`s3.amazonaws.com` pantherAWS S3 Security Control Disabling pantherS3 Bucket Encryption Deleted pantherS3 Bucket Logging Disabled pantherS3 Bucket Replication Deleted pantherS3 Bucket Versioning Suspended pantherS3 MFA Delete Disabled pantherS3 Public Access Block Deleted	7	17
`event.outcome`	`in`	`Success` elasticAzure Diagnostic Settings Deleted elasticAzure Event Hub Deleted elasticAzure Kubernetes Services (AKS) Kubernetes Events Deleted elasticAzure Resource Group Deleted elasticAzure VNet Firewall Front Door WAF Policy Deleted elasticAzure VNet Firewall Policy Deleted elasticAzure VNet Network Watcher Deleted	7	37
`event.outcome`	`in`	`success` elasticAzure Diagnostic Settings Deleted elasticAzure Event Hub Deleted elasticAzure Kubernetes Services (AKS) Kubernetes Events Deleted elasticAzure Resource Group Deleted elasticAzure VNet Firewall Front Door WAF Policy Deleted elasticAzure VNet Firewall Policy Deleted elasticAzure VNet Network Watcher Deleted	7	38
`status`	`eq`	`SUCCESS` pantherWiz CICD Scan Policy Updated Or Deleted pantherWiz Connector Updated Or Deleted pantherWiz Data Classifier Updated Or Deleted pantherWiz Image Integrity Validator Updated Or Deleted pantherWiz Integration Updated Or Deleted pantherWiz Rule Change pantherWiz Update Scanner Settings	7	16
`Details`	`eq`	`0` elasticDisabling User Account Control via Registry Modification elasticDNS Global Query Block List Modified or Disabled elasticMicrosoft Windows Defender Tampering elasticModification of AmsiEnable Registry Key elasticNetwork-Level Authentication (NLA) Disabled elasticPowerShell Script Block Logging Disabled	6	12
`Details`	`eq`	`0x00000000` elasticDisabling User Account Control via Registry Modification elasticDNS Global Query Block List Modified or Disabled elasticMicrosoft Windows Defender Tampering elasticModification of AmsiEnable Registry Key elasticNetwork-Level Authentication (NLA) Disabled elasticPowerShell Script Block Logging Disabled	6	43
`Details`	`eq`	`1` elasticDNS-over-HTTPS Enabled via Registry elasticLocal Account TokenFilter Policy Disabled elasticMicrosoft Windows Defender Tampering elasticScheduled Tasks AT Command Enabled elasticWindows Defender Disabled via Registry Modification kustoDetect Windows Update Disabled from Registry	6	13

Exclusions (225 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`user.id`	`eq`	`S-1-5-18` elasticPotential RemoteMonologue Attack elasticPowerShell Script with Windows Defender Tampering Capabilities elasticService Disabled via Registry Modification elasticWindows Defender Disabled via Registry Modification	4
`aws::errorCode`	`eq`	`AccessDenied` sigmaCloudTrail Log Deleted sigmaCloudTrail Log Settings Modified sigmaCloudTrail Logging Stopped	3
`aws::userAgent`	`eq`	`AWS Internal` elasticAWS CloudWatch Alarm Deletion elasticAWS CloudWatch Log Group Deletion elasticAWS CloudWatch Log Stream Deletion	3
`Image`	`wildcard`	`?:\windows\system32\deviceenroller.exe` elasticMicrosoft Windows Defender Tampering elasticPowerShell Script Block Logging Disabled	2
`Image`	`wildcard`	`?:\windows\system32\omadmclient.exe` elasticPowerShell Script Block Logging Disabled elasticWDAC Policy File by an Unusual Process	2
`Image`	`wildcard`	`?:\windows\system32\svchost.exe` elasticMicrosoft Windows Defender Tampering elasticPowerShell Script Block Logging Disabled	2
`Image`	`wildcard`	`\device\harddiskvolume*\windows\system32\deviceenroller.exe` elasticMicrosoft Windows Defender Tampering elasticPowerShell Script Block Logging Disabled	2
`Image`	`wildcard`	`\device\harddiskvolume*\windows\system32\svchost.exe` elasticMicrosoft Windows Defender Tampering elasticPowerShell Script Block Logging Disabled	2
`data.details.response.body.shields{}`	`eq`	`block` sigmaBreached Password Detection - critical settings manipulated sigmaBrute Force Protection - critical settings manipulated	2
`responseStatus.code`	`ge`	`1` pantherKubernetes Pod Using Host IPC Namespace pantherKubernetes Role With Node Proxy Permissions Created	2
`responseStatus.code`	`ge`	`400` pantherKubernetes Pod Using Host IPC Namespace pantherKubernetes Role With Node Proxy Permissions Created	2
`responseStatus.code`	`le`	`16` pantherKubernetes Pod Using Host IPC Namespace pantherKubernetes Role With Node Proxy Permissions Created	2
`username`	`in`	`aksService` pantherKubernetes Pod Using Host IPC Namespace pantherKubernetes Role With Node Proxy Permissions Created	2
`username`	`in`	`masterclient` pantherKubernetes Pod Using Host IPC Namespace pantherKubernetes Role With Node Proxy Permissions Created	2
`username`	`starts_with`	`system:` pantherKubernetes Pod Using Host IPC Namespace pantherKubernetes Role With Node Proxy Permissions Created	2

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Impair Defenses `T1562`

Events covered

Authoring guide

Fields filtered most (306 distinct)

Top indicator values (2027 distinct)

Exclusions (225 distinct)

Rules under this technique

Sigma 55 rules

Elastic 145 rules

Splunk 25 rules

Kusto 103 rules

YARA-L 36 rules

Panther 104 rules

Keyboard shortcuts

Search operators

Impair Defenses T1562

Events covered

Authoring guide

Fields filtered most (306 distinct)

Top indicator values (2027 distinct)

Exclusions (225 distinct)

Rules under this technique

Sigma 55 rules

Elastic 145 rules

Splunk 25 rules

Kusto 103 rules

YARA-L 36 rules

Panther 104 rules

Impair Defenses `T1562`