Disable or Modify Tools T1685
Tactic: Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.
Events covered
47 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 359 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (106 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (2010 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (185 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 200 rules
- Add SafeBoot Keys Via Reg Utility
- AMSI Bypass Pattern Assembly GetType
- AMSI Disabled via Registry Modification
- Antivirus Filter Driver Disallowed On Dev Drive - Registry
- ASLR Disabled Via Sysctl or Direct Syscall - Linux
- Audit Policy Tampering Via Auditpol
- Audit Policy Tampering Via NT Resource Kit Auditpol
- Audit Rules Deleted Via Auditctl
- Auditing Configuration Changes on Linux Host
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Detector Deleted Or Updated
- AWS GuardDuty Important Change
- AWS SecurityHub Findings Evasion
- Azure Kubernetes Events Deleted
- Bitbucket Audit Log Configuration Updated
- Bitbucket Global Secret Scanning Rule Deleted
- Bitbucket Global SSH Settings Changed
- Bitbucket Project Secret Scanning Allowlist Added
- Bitbucket Secret Scanning Exempt Repository Added
- Bitbucket Secret Scanning Rule Deleted
- Change Winevt Channel Access Permission Via Registry
- Cisco Disabling Logging
- Cisco Dot1x Disabled
- Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
- Devcon Execution Disabling VMware VMCI Device
- Diamond Sleet APT Scheduled Task Creation - Registry
- Disable Exploit Guard Network Protection on Windows Defender
- Disable of ETW Trace - Powershell
- Disable Or Stop Services
- Disable Privacy Settings Experience in Registry
- Disable PUA Protection on Windows Defender
- Disable Security Events Logging Adding Reg Key MiniNt
- Disable Security Tools
- Disable Tamper Protection on Windows Defender
- Disable Windows Defender AV Security Monitoring
- Disable Windows Defender Functionalities Via Registry Keys
- Disable Windows Event Logging Via Registry
- Disable Windows IIS HTTP Logging
- Disable-WindowsOptionalFeature Command PowerShell
- Disabled IE Security Features
- Disabled Volume Snapshots
- Disabled Windows Defender Eventlog
- Disabling Windows Defender WMI Autologger Session via Reg.exe
- Dism Remove Online Package
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
- ESXi Syslog Configuration Change Via ESXCLI
- ETW Logging Disabled For rpcrt4.dll
- ETW Logging Disabled For SCM
- ETW Logging Disabled In .NET Processes - Registry
- ETW Logging Disabled In .NET Processes - Sysmon Registry
- ETW Logging Tamper In .NET Processes Via CommandLine
- ETW Logging/Processing Option Disabled On IIS Server
- ETW Trace Evasion Activity
- Eventlog Cleared
- EVTX Created In Uncommon Location
- Filter Driver Unloaded Via Fltmc.EXE
- Folder Removed From Exploit Guard ProtectedFolders List - Registry
- Forest Blizzard APT - File Creation Activity
- Forest Blizzard APT - JavaScript Constrained File Creation
- FortiGate - Firewall Address Object Added
- FortiGate - New Firewall Policy Added
- Github Push Protection Bypass Detected
- Github Push Protection Disabled
- Github Secret Scanning Feature Disabled
- Google Cloud Firewall Modified or Deleted
- HackTool - CobaltStrike BOF Injection Pattern
- Hacktool - EDR-Freeze Execution
- HackTool - EDRSilencer Execution
- HackTool - EDRSilencer Execution - Filter Added
- HackTool - PowerTool Execution
- HackTool - SharpEvtMute DLL Load
- HackTool - SharpEvtMute Execution
- HackTool - Stracciatella Execution
- HackTool - SysmonEnte Execution
- Hide Schedule Task Via Index Value Tamper
- HTTP Logging Disabled On IIS Server
- Hypervisor Enforced Paging Translation Disabled
- Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
- Important Windows Event Auditing Disabled
- Important Windows Eventlog Cleared
- Indicator Removal on Host - Clear Mac System Logs
- Kaspersky Endpoint Security Stopped Via CommandLine - Linux
- Linux Logs Clearing Attempts
- Load Of RstrtMgr.DLL By A Suspicious Process
- Load Of RstrtMgr.DLL By An Uncommon Process
- Logging Configuration Changes on Linux Host
- Microsoft Defender Tamper Protection Trigger
- Microsoft Malware Protection Engine Crash
- Microsoft Malware Protection Engine Crash - WER
- Microsoft Office Protected View Disabled
- NetNTLM Downgrade Attack
- NetNTLM Downgrade Attack - Registry
- New Module Module Added To IIS Server
- NotPetya Ransomware Activity
- Obfuscated PowerShell OneLiner Execution
- Okta User Session Start Via An Anonymising Proxy Service
- Potential AMSI Bypass Script Using NULL Bits
- Potential AMSI Bypass Using NULL Bits
- Potential AMSI Bypass Via .NET Reflection
- Potential AMSI COM Server Hijacking
- Potential AutoLogger Sessions Tampering
- Potential EventLog File Location Tampering
- Potential Ke3chang/TidePool Malware Activity
- Potential Privileged System Service Operation - SeLoadDriverPrivilege
- Potential Suspicious Activity Using SeCEdit
- Potential Tampering With Security Products Via WMIC
- Potential Windows Defender Tampering Via Wmic.EXE
- Powershell Base64 Encoded MpPreference Cmdlet
- Powershell Defender Disable Scan Feature
- Powershell Defender Exclusion
- PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
- PPL Tampering Via WerFaultSecure
- Previously Installed IIS Module Was Removed
- PUA - CleanWipe Execution
- Python Function Execution Security Warning Disabled In Excel
- Python Function Execution Security Warning Disabled In Excel - Registry
- Raccine Uninstall
- RedSun - Named Pipe Created
- RedSun - TieringEngineService.exe Detected as EICAR Test File
- Reg Add Suspicious Paths
- Removal Of AMSI Provider Registry Keys
- Removal Of Index Value to Hide Schedule Task - Registry
- Removal Of SD Value to Hide Schedule Task - Registry
- SafeBoot Registry Key Deleted Via Reg.EXE
- Scripted Diagnostics Turn Off Check Enabled - Registry
- Security Event Logging Disabled via MiniNt Registry Key - Process
- Security Event Logging Disabled via MiniNt Registry Key - Registry Set
- Security Eventlog Cleared
- Security Service Disabled Via Reg.EXE
- Service Registry Key Deleted Via Reg.EXE
- Service Startup Type Change Via Wmic.EXE
- Service StartupType Change Via PowerShell Set-Service
- Service StartupType Change Via Sc.EXE
- Suspicious Application Allowed Through Exploit Guard
- Suspicious Eventlog Clear
- Suspicious Eventlog Clearing or Configuration Change Activity
- Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
- Suspicious Path In Keyboard Layout IME File Registry Value
- Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
- Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
- Suspicious PROCEXP152.sys File Created In TMP
- Suspicious Service Installed
- Suspicious Svchost Process Access
- Suspicious Uninstall of Windows Defender Feature via PowerShell
- Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
- Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
- Suspicious Windows Service Tampering
- Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
- Sysinternals PsSuspend Suspicious Execution
- Syslog Clearing or Removal Via System Utilities
- Sysmon Application Crashed
- Sysmon Configuration Update
- Sysmon Driver Altitude Change
- Sysmon Driver Unloaded Via Fltmc.EXE
- Tamper Windows Defender - PSClassic
- Tamper Windows Defender - ScriptBlockLogging
- Tamper Windows Defender Remove-MpPreference
- Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
- Tamper With Sophos AV Registry Keys
- Taskkill Symantec Endpoint Protection
- Terminate Linux Process Via Kill
- Uncommon Extension In Keyboard Layout IME File Registry Value
- Uninstall Crowdstrike Falcon Sensor
- Uninstall Sysinternals Sysmon
- Vulnerable Driver Blocklist Registry Tampering Via CommandLine
- WDAC Policy File Creation In CodeIntegrity Folder
- Weak Encryption Enabled and Kerberoast
- WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
- WFP Filter Added via Registry
- Win Defender Restored Quarantine File
- Windows AMSI Related Registry Tampering Via CommandLine
- Windows Credential Guard Disabled - Registry
- Windows Credential Guard Registry Tampering Via CommandLine
- Windows Credential Guard Related Registry Value Deleted - Registry
- Windows Defender Configuration Changes
- Windows Defender Context Menu Removed
- Windows Defender Definition Files Removed
- Windows Defender Exclusion List Modified
- Windows Defender Exclusion Registry Key - Write Access Requested
- Windows Defender Exclusions Added
- Windows Defender Exclusions Added - PowerShell
- Windows Defender Exclusions Added - Registry
- Windows Defender Exploit Guard Tamper
- Windows Defender Grace Period Expired
- Windows Defender Malware And PUA Scanning Disabled
- Windows Defender Real-time Protection Disabled
- Windows Defender Real-Time Protection Failure/Restart
- Windows Defender Service Disabled - Registry
- Windows Defender Submit Sample Feature Disabled
- Windows Defender Threat Detection Service Disabled
- Windows Defender Threat Severity Default Action Modified
- Windows Defender Virus Scanning Feature Disabled
- Windows Event Auditing Disabled
- Windows EventLog Autologger Session Registry Modification Via CommandLine
- Windows Filtering Platform Blocked Connection From EDR Agent Binary
- Windows Firewall Disabled via PowerShell
- Windows Hypervisor Enforced Code Integrity Disabled
- Windows Vulnerable Driver Blocklist Disabled
- Write Protect For Storage Disabled
Splunk 159 rules
- Add or Set Windows Defender Exclusion
- ASL AWS Defense Evasion Delete Cloudtrail
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- ASL AWS Defense Evasion Impair Security Services
- ASL AWS Defense Evasion PutBucketLifecycle
- ASL AWS Defense Evasion Stop Logging Cloudtrail
- ASL AWS Defense Evasion Update Cloudtrail
- AWS Bedrock Delete GuardRails
- AWS Bedrock Delete Model Invocation Logging Configuration
- AWS Defense Evasion Delete Cloudtrail
- AWS Defense Evasion Delete CloudWatch Log Group
- AWS Defense Evasion Impair Security Services
- AWS Defense Evasion PutBucketLifecycle
- AWS Defense Evasion Stop Logging Cloudtrail
- AWS Defense Evasion Update Cloudtrail
- Azure AD Block User Consent For Risky Apps Disabled
- Cisco ASA - Core Syslog Message Volume Drop
- Cisco ASA - Logging Disabled via CLI
- Cisco ASA - Logging Filters Configuration Tampering
- Cisco ASA - Logging Message Suppression
- Cisco Configuration Archive Logging Analysis
- Cisco SNMP Community String Configuration Changes
- Disable AMSI Through Registry
- Disable Defender AntiVirus Registry
- Disable Defender BlockAtFirstSeen Feature
- Disable Defender Enhanced Notification
- Disable Defender MpEngine Registry
- Disable Defender Spynet Reporting
- Disable Defender Submit Samples Consent Feature
- Disable ETW Through Registry
- Disable Logs Using WevtUtil
- Disable Registry Tool
- Disable Schedule Task
- Disable Show Hidden Files
- Disable Windows App Hotkeys
- Disable Windows Behavior Monitoring
- Disable Windows SmartScreen Protection
- Disabling CMD Application
- Disabling ControlPanel
- Disabling Defender Services
- Disabling Firewall with Netsh
- Disabling FolderOptions Windows Feature
- Disabling NoRun Windows App
- Disabling Task Manager
- ESXi Download Errors
- ESXi Encryption Settings Modified
- ESXi Lockdown Mode Disabled
- ESXi Loghost Config Tampering
- ESXi VIB Acceptance Level Tampering
- ETW Registry Disabled
- Excessive number of service control start as disabled
- Excessive Usage Of Taskkill
- GitHub Enterprise Delete Branch Ruleset
- GitHub Enterprise Disable 2FA Requirement
- GitHub Enterprise Disable Audit Log Event Stream
- GitHub Enterprise Disable Classic Branch Protection Rule
- GitHub Enterprise Disable Dependabot
- GitHub Enterprise Disable IP Allow List
- GitHub Enterprise Modify Audit Log Event Stream
- GitHub Enterprise Pause Audit Log Event Stream
- GitHub Enterprise Register Self Hosted Runner
- GitHub Organizations Delete Branch Ruleset
- GitHub Organizations Disable 2FA Requirement
- GitHub Organizations Disable Classic Branch Protection Rule
- GitHub Organizations Disable Dependabot
- Hide User Account From Sign-In Screen
- Linux Auditd Auditd Daemon Abort
- Linux Auditd Auditd Daemon Shutdown
- Linux Auditd Auditd Daemon Start
- Linux Impair Defenses Process Kill
- M365 Copilot Agentic Jailbreak Attack
- M365 Copilot Impersonation Jailbreak Attack
- M365 Copilot Information Extraction Jailbreak Attack
- M365 Copilot Jailbreak Attempts
- M365 Copilot Non Compliant Devices Accessing M365 Copilot
- Microsoft Intune DeviceManagementConfigurationPolicies
- O365 Advanced Audit Disabled
- O365 Block User Consent For Risky Apps Disabled
- O365 Email Security Feature Changed
- Powershell Disable Security Monitoring
- Powershell Remove Windows Defender Directory
- Powershell Windows Defender Exclusion Commands
- Process Kill Base On File Path
- Suspicious wevtutil Usage
- Unload Sysmon Filter Driver
- Unloading AMSI via Reflection
- Windows AD Domain Controller Audit Policy Disabled
- Windows AD GPO Deleted
- Windows AD GPO Disabled
- Windows Attempt To Stop Security Service
- Windows Audit Policy Auditing Option Disabled via Auditpol
- Windows Audit Policy Cleared via Auditpol
- Windows Audit Policy Disabled via Auditpol
- Windows Audit Policy Disabled via Legacy Auditpol
- Windows Audit Policy Excluded Category via Auditpol
- Windows Audit Policy Restored via Auditpol
- Windows Audit Policy Security Descriptor Tampering via Auditpol
- Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
- Windows Cisco Secure Endpoint Unblock File Via Sfc
- Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
- Windows CrowdStrike Agent Registry Key Removal
- Windows Defender ASR or Threat Configuration Tamper
- Windows Defender Exclusion Registry Entry
- Windows Disable or Modify Tools Via Taskkill
- Windows Disable or Stop Browser Process
- Windows Disable Windows Event Logging Disable HTTP Logging
- Windows DisableAntiSpyware Registry
- Windows DISM Remove Defender
- Windows EDRSilencer Execution
- Windows Event For Service Disabled
- Windows Event Log Cleared
- Windows Event Logging Service Has Shutdown
- Windows Eventlog Cleared Via Wevtutil
- Windows Excessive Disabled Services Event
- Windows Filtering Platform Policy Added to Block EDR Process
- Windows Global Object Access Audit List Cleared Via Auditpol
- Windows Impair Defense Add Xml Applocker Rules
- Windows Impair Defense Change Win Defender Health Check Intervals
- Windows Impair Defense Change Win Defender Quick Scan Interval
- Windows Impair Defense Change Win Defender Throttle Rate
- Windows Impair Defense Change Win Defender Tracing Level
- Windows Impair Defense Configure App Install Control
- Windows Impair Defense Define Win Defender Threat Action
- Windows Impair Defense Delete Win Defender Context Menu
- Windows Impair Defense Delete Win Defender Profile Registry
- Windows Impair Defense Deny Security Software With Applocker
- Windows Impair Defense Disable Controlled Folder Access
- Windows Impair Defense Disable Defender Firewall And Network
- Windows Impair Defense Disable Defender Protocol Recognition
- Windows Impair Defense Disable PUA Protection
- Windows Impair Defense Disable Realtime Signature Delivery
- Windows Impair Defense Disable Web Evaluation
- Windows Impair Defense Disable Win Defender App Guard
- Windows Impair Defense Disable Win Defender Compute File Hashes
- Windows Impair Defense Disable Win Defender Gen reports
- Windows Impair Defense Disable Win Defender Network Protection
- Windows Impair Defense Disable Win Defender Report Infection
- Windows Impair Defense Disable Win Defender Scan On Update
- Windows Impair Defense Disable Win Defender Signature Retirement
- Windows Impair Defense Overide Win Defender Phishing Filter
- Windows Impair Defense Override SmartScreen Prompt
- Windows Impair Defense Set Win Defender Smart Screen Level To Warn
- Windows Impair Defenses Disable Auto Logger Session
- Windows Impair Defenses Disable HVCI
- Windows Impair Defenses Disable Win Defender Auto Logging
- Windows Important Audit Policy Disabled
- Windows Increase in Group or Object Modification Activity
- Windows Increase in User Modification Activity
- Windows MpCmdRun RemoveDefinitions Execution
- Windows New Custom Security Descriptor Set On EventLog Channel
- Windows New EventLog ChannelAccess Registry Value Set
- Windows Outlook Dialogs Disabled from Unusual Process
- Windows PowerShell Disable HTTP Logging
- Windows Powershell Import Applocker Policy
- Windows Raccine Scheduled Task Deletion
- Windows Registry Delete Task SD
- Windows Registry Dotnet ETW Disabled Via ENV Variable
- Windows Terminating Lsass Process
- Wmic NonInteractive App Uninstallation