T1211

Exploitation for Defense Evasion

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. There have also been examples of vulnerabilities in public cloud infrastructure and SaaS applications that may bypass defense boundaries, evade security logs, or deploy hidden infrastructure.

Microsoft Sentinel / Defender

kusto

let SecurityProcesses = dynamic([
  "MsMpEng.exe", "MsSense.exe", "SenseCncProxy.exe", "SenseIR.exe",
  "csagent.exe", "CSFalconService.exe", "CSFalconContainer.exe",
  "SentinelAgent.exe", "SentinelServiceHost.exe", "SentinelStaticEngine.exe",
  "CylanceSvc.exe", "CylanceUI.exe",
  "cb.exe", "CbDefense.exe", "CbDefenseService.exe",
  "mbam.exe", "MBAMService.exe",
  "sophosssp.exe", "SophosSafestore.exe", "SAVService.exe",
  "avp.exe", "avpui.exe",
  "avgnt.exe", "avguard.exe",
  "SEDService.exe", "SpybotSD.exe",
  "aswBoot.exe", "AvastSvc.exe"
]);
let ExploitChildProcesses = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
  "bitsadmin.exe", "msiexec.exe", "csc.exe", "msbuild.exe",
  "wmic.exe", "net.exe", "net1.exe", "sc.exe"
]);
// Signal 1: Security software spawning suspicious child processes (post-exploitation execution)
let ExploitedSecurityProcess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (SecurityProcesses)
| where FileName has_any (ExploitChildProcesses)
| extend DetectionSignal = "SecuritySoftwareSpawnedSuspiciousChild"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionSignal;
// Signal 2: Security processes accessing other processes with PROCESS_ALL_ACCESS or PROCESS_VM_WRITE
// (OpenProcess calls against security tools — precursor to exploitation)
let SecurityProcessAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ProcessAccessed"
| where FileName has_any (SecurityProcesses)
| where InitiatingProcessFileName !has_any (SecurityProcesses)
| where InitiatingProcessFileName !in~ ("System", "svchost.exe", "lsass.exe", "csrss.exe", "wininit.exe", "services.exe", "smss.exe")
| extend DetectionSignal = "SuspiciousAccessToSecurityProcess"
| project Timestamp, DeviceName, AccountName,
         FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionSignal;
// Signal 3: Security service unexpectedly stopping (possible crash-based exploitation)
let SecurityServiceStop = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "ServiceInstalled" or ActionType == "ServiceDeleted"
| where AdditionalFields has_any (SecurityProcesses)
| extend DetectionSignal = "SecurityServiceModifiedOrStopped"
| project Timestamp, DeviceName, AccountName,
         AdditionalFields, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionSignal;
// Union all signals
union ExploitedSecurityProcess, SecurityProcessAccess, SecurityServiceStop
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation Process: Process Access Service: Service Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceEvents

False Positives

Security software updates may spawn cmd.exe or PowerShell as part of self-update or installer routines
Endpoint management platforms (SCCM, Intune, BigFix) may access security software processes during health checks or remediation
Legitimate security tools performing process inspection (SysInternals, vulnerability scanners) may open handles to security processes
Vendor-provided diagnostic or support tools for the security product itself may trigger process access alerts
Windows Error Reporting (WerFault.exe) opens handles to crashed processes including security software during crash dump collection

Splunk

spl

| union
(
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval SecurityParent=if(match(ParentImage, "(?i)(MsMpEng|MsSense|SenseCncProxy|csagent|CSFalconService|SentinelAgent|CylanceSvc|cb\.exe|CbDefense|mbam|sophosssp|SAVService|avp\.exe|avgnt|AvastSvc)"), 1, 0)
  | eval SuspiciousChild=if(match(Image, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msiexec\.exe|csc\.exe|msbuild\.exe|wmic\.exe)"), 1, 0)
  | where SecurityParent=1 AND SuspiciousChild=1
  | eval DetectionSignal="SecuritySoftwareSpawnedSuspiciousChild"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionSignal
)
(
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
  | eval TargetIsSecurity=if(match(TargetImage, "(?i)(MsMpEng|MsSense|SenseCncProxy|csagent|CSFalconService|SentinelAgent|CylanceSvc|cb\.exe|CbDefense|mbam|sophosssp|SAVService|avp\.exe|avgnt|AvastSvc)"), 1, 0)
  | eval SourceIsSystem=if(match(SourceImage, "(?i)(System|svchost\.exe|lsass\.exe|csrss\.exe|wininit\.exe|services\.exe|smss\.exe|WerFault\.exe)"), 1, 0)
  | where TargetIsSecurity=1 AND SourceIsSystem=0
  | eval HighPrivilegeAccess=if(match(GrantedAccess, "(0x1F0FFF|0x1F1FFF|0x143A|0x1410|0x1fffff)"), 1, 0)
  | eval DetectionSignal="SuspiciousAccessToSecurityProcess"
  | table _time, host, SourceImage, SourceCommandLine, TargetImage, GrantedAccess, HighPrivilegeAccess, DetectionSignal
)
(
  search index=wineventlog sourcetype="WinEventLog:System" (EventCode=7034 OR EventCode=7035 OR EventCode=7036 OR EventCode=7045)
  | eval ServiceNameLower=lower(ServiceName)
  | eval IsSecurityService=if(match(ServiceNameLower, "(sense|windefend|falcon|sentinelagent|cylancesvc|cbdefense|mbam|sophosssp|kaspersky|avast|avgnt)"), 1, 0)
  | where IsSecurityService=1
  | eval DetectionSignal="SecurityServiceModifiedOrStopped"
  | table _time, host, ServiceName, EventCode, Message, DetectionSignal
)
| sort - _time

critical severity medium confidence

Data Sources

Process: Process Creation Process: Process Access Service: Service Modification Sysmon Event ID 1 Sysmon Event ID 10 Windows System Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:System

False Positives

Security software self-update processes legitimately spawn cmd.exe or msiexec.exe during patch installation
IT management and RMM tools (ConnectWise, Kaseya, TeamViewer) may access security processes during managed operations
Antivirus vendors' own diagnostic and support utilities trigger process access events against their parent service
Windows Error Reporting (WerFault.exe) opens handles to any crashed process — security software included — during crash dump collection
Service Control Manager legitimate service state transitions (7035/7036) during normal startup/shutdown sequences

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  process where event.type == "start" and
  process.parent.name : (
    "MsMpEng.exe", "MsSense.exe", "SenseCncProxy.exe", "SenseIR.exe",
    "csagent.exe", "CSFalconService.exe", "CSFalconContainer.exe",
    "SentinelAgent.exe", "SentinelServiceHost.exe", "SentinelStaticEngine.exe",
    "CylanceSvc.exe", "CylanceUI.exe",
    "cb.exe", "CbDefense.exe", "CbDefenseService.exe",
    "mbam.exe", "MBAMService.exe",
    "sophosssp.exe", "SophosSafestore.exe", "SAVService.exe",
    "avp.exe", "avpui.exe",
    "avgnt.exe", "avguard.exe",
    "aswBoot.exe", "AvastSvc.exe"
  ) and
  process.name : (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
    "bitsadmin.exe", "msiexec.exe", "csc.exe", "msbuild.exe",
    "wmic.exe", "net.exe", "net1.exe", "sc.exe"
  )
] by process.parent.pid

OR

any where event.category == "process" and event.action == "process_accessed" and
  process.name : (
    "MsMpEng.exe", "MsSense.exe", "SenseCncProxy.exe", "csagent.exe",
    "CSFalconService.exe", "SentinelAgent.exe", "CylanceSvc.exe",
    "cb.exe", "CbDefense.exe", "mbam.exe", "sophosssp.exe",
    "SAVService.exe", "avp.exe", "avgnt.exe", "AvastSvc.exe"
  ) and
  not process.parent.name : (
    "System", "svchost.exe", "lsass.exe", "csrss.exe",
    "wininit.exe", "services.exe", "smss.exe", "WerFault.exe"
  )

OR

any where event.category == "process" and event.code : ("7034", "7035", "7036", "7045") and
  process.name : (
    "MsMpEng.exe", "MsSense.exe", "SenseCncProxy.exe", "csagent.exe",
    "CSFalconService.exe", "SentinelAgent.exe", "CylanceSvc.exe",
    "cb.exe", "CbDefense.exe", "mbam.exe", "sophosssp.exe",
    "SAVService.exe", "avp.exe", "avgnt.exe", "AvastSvc.exe"
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon (via Winlogbeat) Windows Event Logs (System log via Winlogbeat)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.security-* winlogbeat-*

False Positives

Legitimate security software updates or self-healing mechanisms may spawn cmd.exe or msiexec.exe during patch application
Security vendor diagnostic or forensic tools may open other security processes with elevated access for interoperability or health checks
Security service restarts during scheduled maintenance windows may trigger service stop/start events (EventCode 7036)

IBM QRadar (AQL)

sql

-- Signal 1: Security process spawning suspicious child process (Sysmon EID 1)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "ProcessImage" AS child_process,
  "ProcessCommandLine" AS child_cmdline,
  "ParentProcessImage" AS parent_process,
  'SecuritySoftwareSpawnedSuspiciousChild' AS detection_signal
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12 -- Microsoft Windows Security Event Log (Sysmon)
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND "EventID" = '1'
  AND (LOWER("ParentProcessImage") LIKE '%msmpeng%'
    OR LOWER("ParentProcessImage") LIKE '%mssense%'
    OR LOWER("ParentProcessImage") LIKE '%sensecncproxy%'
    OR LOWER("ParentProcessImage") LIKE '%csagent%'
    OR LOWER("ParentProcessImage") LIKE '%csfalconservice%'
    OR LOWER("ParentProcessImage") LIKE '%sentinelagent%'
    OR LOWER("ParentProcessImage") LIKE '%cylancesvc%'
    OR LOWER("ParentProcessImage") LIKE '%cbdefense%'
    OR LOWER("ParentProcessImage") LIKE '%mbam%'
    OR LOWER("ParentProcessImage") LIKE '%sophosssp%'
    OR LOWER("ParentProcessImage") LIKE '%savservice%'
    OR LOWER("ParentProcessImage") LIKE '%avp.exe%'
    OR LOWER("ParentProcessImage") LIKE '%avgnt%'
    OR LOWER("ParentProcessImage") LIKE '%avastsvc%')
  AND (LOWER("ProcessImage") LIKE '%\cmd.exe'
    OR LOWER("ProcessImage") LIKE '%\powershell.exe'
    OR LOWER("ProcessImage") LIKE '%\pwsh.exe'
    OR LOWER("ProcessImage") LIKE '%\wscript.exe'
    OR LOWER("ProcessImage") LIKE '%\cscript.exe'
    OR LOWER("ProcessImage") LIKE '%\mshta.exe'
    OR LOWER("ProcessImage") LIKE '%\rundll32.exe'
    OR LOWER("ProcessImage") LIKE '%\regsvr32.exe'
    OR LOWER("ProcessImage") LIKE '%\certutil.exe'
    OR LOWER("ProcessImage") LIKE '%\bitsadmin.exe'
    OR LOWER("ProcessImage") LIKE '%\msiexec.exe'
    OR LOWER("ProcessImage") LIKE '%\wmic.exe')
  AND starttime > NOW() - 86400000
UNION
-- Signal 2: Non-system process accessing security process with elevated rights (Sysmon EID 10)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "TargetImage" AS child_process,
  "GrantedAccess" AS child_cmdline,
  "SourceImage" AS parent_process,
  'SuspiciousAccessToSecurityProcess' AS detection_signal
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12
  AND "EventID" = '10'
  AND (LOWER("TargetImage") LIKE '%msmpeng%'
    OR LOWER("TargetImage") LIKE '%mssense%'
    OR LOWER("TargetImage") LIKE '%csagent%'
    OR LOWER("TargetImage") LIKE '%sentinelagent%'
    OR LOWER("TargetImage") LIKE '%cylancesvc%'
    OR LOWER("TargetImage") LIKE '%avastsvc%')
  AND NOT (LOWER("SourceImage") LIKE '%svchost%'
    OR LOWER("SourceImage") LIKE '%lsass%'
    OR LOWER("SourceImage") LIKE '%csrss%'
    OR LOWER("SourceImage") LIKE '%werfault%')
  AND ("GrantedAccess" = '0x1F0FFF'
    OR "GrantedAccess" = '0x1F1FFF'
    OR "GrantedAccess" = '0x1fffff'
    OR "GrantedAccess" = '0x143A'
    OR "GrantedAccess" = '0x1410')
  AND starttime > NOW() - 86400000
UNION
-- Signal 3: Security service stopped or modified (System log EIDs 7034/7036/7045)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "ServiceName" AS child_process,
  "EventID" AS child_cmdline,
  '' AS parent_process,
  'SecurityServiceModifiedOrStopped' AS detection_signal
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12
  AND ("EventID" = '7034' OR "EventID" = '7036' OR "EventID" = '7045')
  AND (LOWER("ServiceName") LIKE '%sense%'
    OR LOWER("ServiceName") LIKE '%windefend%'
    OR LOWER("ServiceName") LIKE '%falcon%'
    OR LOWER("ServiceName") LIKE '%sentinelagent%'
    OR LOWER("ServiceName") LIKE '%cylancesvc%'
    OR LOWER("ServiceName") LIKE '%cbdefense%'
    OR LOWER("ServiceName") LIKE '%mbam%'
    OR LOWER("ServiceName") LIKE '%avast%')
  AND starttime > NOW() - 86400000
ORDER BY event_time DESC

critical severity high confidence

Data Sources

Windows Sysmon (via QRadar WinCollect or DSM) Windows System Event Log QRadar Log Source Type: Microsoft Windows Security Event Log

Required Tables

events

False Positives

Security product auto-updaters may legitimately spawn msiexec.exe or cmd.exe during patch cycles
SIEM or SOAR integrations that query security process state may open security processes with elevated handles
Scheduled maintenance scripts that restart AV services generate EID 7036 stop/start pairs

Sumo Logic CSE

sql

// Signal 1: Security software spawning suspicious child process
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*)
| where EventID = "1"
| parse field=ParentImage "*" as parent_image_raw
| parse field=Image "*" as child_image_raw
| eval parent_lower = toLowerCase(parent_image_raw)
| eval child_lower = toLowerCase(child_image_raw)
| where (parent_lower matches "*msmpeng*"
  OR parent_lower matches "*mssense*"
  OR parent_lower matches "*sensecncproxy*"
  OR parent_lower matches "*csagent*"
  OR parent_lower matches "*csfalconservice*"
  OR parent_lower matches "*sentinelagent*"
  OR parent_lower matches "*cylancesvc*"
  OR parent_lower matches "*cbdefense*"
  OR parent_lower matches "*mbam*"
  OR parent_lower matches "*sophosssp*"
  OR parent_lower matches "*savservice*"
  OR parent_lower matches "*avp.exe*"
  OR parent_lower matches "*avgnt*"
  OR parent_lower matches "*avastsvc*")
| where (child_lower matches "*\cmd.exe"
  OR child_lower matches "*\powershell.exe"
  OR child_lower matches "*\pwsh.exe"
  OR child_lower matches "*\wscript.exe"
  OR child_lower matches "*\cscript.exe"
  OR child_lower matches "*\mshta.exe"
  OR child_lower matches "*\rundll32.exe"
  OR child_lower matches "*\regsvr32.exe"
  OR child_lower matches "*\certutil.exe"
  OR child_lower matches "*\bitsadmin.exe"
  OR child_lower matches "*\msiexec.exe"
  OR child_lower matches "*\wmic.exe"
  OR child_lower matches "*\sc.exe")
| withtime _messageTime
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine
| eval detection_signal = "SecuritySoftwareSpawnedSuspiciousChild"

// Signal 2: Non-system process accessing security process with elevated access (Sysmon EID 10)
// Run as second query in union panel:
// (_sourceCategory=*windows*sysmon*) EventID=10
// | eval target_lower = toLowerCase(TargetImage)
// | eval source_lower = toLowerCase(SourceImage)
// | where (target_lower matches "*msmpeng*" OR target_lower matches "*sentinelagent*" OR target_lower matches "*csagent*" OR target_lower matches "*cylancesvc*" OR target_lower matches "*avastsvc*")
// | where NOT (source_lower matches "*svchost*" OR source_lower matches "*lsass*" OR source_lower matches "*csrss*" OR source_lower matches "*werfault*")
// | where GrantedAccess in ("0x1F0FFF","0x1F1FFF","0x1fffff","0x143A","0x1410")
// | eval detection_signal = "SuspiciousAccessToSecurityProcess"
// | fields _messageTime, Computer, SourceImage, SourceCommandLine, TargetImage, GrantedAccess, detection_signal

// Signal 3: Security service stopped or modified (System log)
// (_sourceCategory=*windows*system* OR _sourceCategory=*wineventlog*system*)
// | where EventID in ("7034","7036","7045")
// | eval svc_lower = toLowerCase(ServiceName)
// | where (svc_lower matches "*sense*" OR svc_lower matches "*windefend*" OR svc_lower matches "*falcon*" OR svc_lower matches "*sentinelagent*" OR svc_lower matches "*cylance*" OR svc_lower matches "*cbdefense*" OR svc_lower matches "*avast*")
// | eval detection_signal = "SecurityServiceModifiedOrStopped"
// | fields _messageTime, Computer, ServiceName, EventID, Message, detection_signal

| count by detection_signal, Computer, User
| sort by _count desc

critical severity high confidence

Data Sources

Windows Sysmon logs (via Installed Collector or OpenTelemetry) Windows System Event Logs Sumo Logic Cloud SIEM Enterprise normalized schema

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*windows*system*

False Positives

Legitimate vendor update packages may cause AV processes to spawn msiexec.exe or cmd.exe transiently
Security orchestration tools (SOAR) may programmatically access security agent processes to gather telemetry
Antivirus scheduled scan completion events may cause transient service stop/start cycles matching EID 7036

Google Chronicle / SecOps

yaral

rule T1211_exploitation_for_defense_evasion {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects exploitation of security software for defense evasion (T1211) via three signals: security process spawning suspicious child, non-system process accessing security process with elevated rights, and security service modification."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1211"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    // Signal 1: Security software spawning suspicious child process
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)(MsMpEng|MsSense|SenseCncProxy|SenseIR|csagent|CSFalconService|CSFalconContainer|SentinelAgent|SentinelServiceHost|SentinelStaticEngine|CylanceSvc|CylanceUI|CbDefense|CbDefenseService|MBAMService|sophosssp|SophosSafestore|SAVService|avpui|avguard|aswBoot|AvastSvc)\.exe`)
        or re.regex($e1.principal.process.file.full_path, `(?i)(cb\.exe|avp\.exe|mbam\.exe|avgnt\.exe)`)
      )
      and (
        re.regex($e1.target.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|csc|msbuild|wmic|net|net1|sc)\.exe`)
      )
    )
    or
    // Signal 2: Non-system process accessing security process with PROCESS_ALL_ACCESS
    (
      $e1.metadata.event_type = "PROCESS_OPEN"
      and (
        re.regex($e1.target.process.file.full_path, `(?i)(MsMpEng|MsSense|SenseCncProxy|csagent|CSFalconService|SentinelAgent|CylanceSvc|cb\.exe|CbDefense|mbam|sophosssp|SAVService|avp\.exe|avgnt|AvastSvc)\.exe`)
      )
      and not (
        re.regex($e1.principal.process.file.full_path, `(?i)(System|svchost|lsass|csrss|wininit|services|smss|WerFault)\.exe`)
      )
      and (
        $e1.target.process.access_mask = "0x1F0FFF"
        or $e1.target.process.access_mask = "0x1F1FFF"
        or $e1.target.process.access_mask = "0x1fffff"
        or $e1.target.process.access_mask = "0x143A"
        or $e1.target.process.access_mask = "0x1410"
      )
    )
    or
    // Signal 3: Security service modified or stopped
    (
      $e1.metadata.event_type = "SERVICE_MODIFICATION"
      and (
        re.regex($e1.target.resource.name, `(?i)(sense|windefend|falcon|sentinelagent|cylancesvc|cbdefense|mbam|sophosssp|kaspersky|avast|avgnt)`)
      )
    )

  condition:
    $e1
}

critical severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Sysmon events forwarded to Chronicle Windows Security Event Logs via Chronicle ingestion Endpoint telemetry (CrowdStrike, Carbon Black, Defender for Endpoint) via Chronicle parsers

Required Tables

UDM events (process, service log types)

False Positives

Security product self-update routines may spawn msiexec.exe or cmd.exe as part of package installation
Security orchestration or MDM platforms may open AV/EDR processes with elevated handles during health checks
Patch management tools restarting security services during maintenance windows will generate SERVICE_MODIFICATION events

CrowdStrike LogScale (CQL)

cql

// Signal 1: Security software spawning suspicious child process
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(MsMpEng|MsSense|SenseCncProxy|SenseIR|csagent|CSFalconService|CSFalconContainer|SentinelAgent|SentinelServiceHost|SentinelStaticEngine|CylanceSvc|CylanceUI|cb\.exe|CbDefense|CbDefenseService|mbam|MBAMService|sophosssp|SophosSafestore|SAVService|avp\.exe|avpui|avgnt|avguard|aswBoot|AvastSvc)\.exe/i
| FileName = /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|csc|msbuild|wmic|net|net1|sc)\.exe/i
| groupBy([ComputerName, UserName, ParentBaseFileName, FileName, CommandLine, ParentCommandLine], function=count(aid, as=EventCount))
| eval DetectionSignal = "SecuritySoftwareSpawnedSuspiciousChild"
| sort(EventCount, order=desc)

// Signal 2: Non-system process accessing security process with PROCESS_ALL_ACCESS (ProcessAccess Sysmon-like)
// Requires Falcon ProcessAccessEvent or UserIdentity correlation
// Uncomment and run separately if ProcessAccess events are ingested:
// #event_simpleName=ProcessAccess
// | TargetImageFileName = /(?i)(MsMpEng|MsSense|SenseCncProxy|csagent|CSFalconService|SentinelAgent|CylanceSvc|cb\.exe|CbDefense|mbam|sophosssp|SAVService|avp\.exe|avgnt|AvastSvc)\.exe/i
// | SourceImageFileName != /(?i)(System|svchost|lsass|csrss|wininit|services|smss|WerFault)\.exe/i
// | GrantedAccess in ("0x1F0FFF","0x1F1FFF","0x1fffff","0x143A","0x1410")
// | groupBy([ComputerName, SourceImageFileName, TargetImageFileName, GrantedAccess], function=count(aid, as=EventCount))
// | eval DetectionSignal = "SuspiciousAccessToSecurityProcess"

// Signal 3: Security service termination via ServiceControl events
// #event_simpleName=ServiceActivityEvent OR #event_simpleName=ServiceStopRequest
// | ServiceDisplayName = /(?i)(sense|windefend|falcon|sentinelagent|cylancesvc|cbdefense|mbam|avast|sophosssp)/i
// | groupBy([ComputerName, ServiceDisplayName, ServiceState, UserName], function=count(aid, as=EventCount))
// | eval DetectionSignal = "SecurityServiceModifiedOrStopped"

critical severity high confidence

Data Sources

CrowdStrike Falcon ProcessRollup2 events CrowdStrike Falcon ProcessAccess events (if Sysmon-style collection enabled) CrowdStrike Falcon ServiceActivityEvent Falcon LogScale (Humio) streaming telemetry

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=ProcessAccess #event_simpleName=ServiceActivityEvent

False Positives

Legitimate AV engine updates may spawn msiexec.exe or cmd.exe as part of signature package installation workflows
CrowdStrike RTR (Real Time Response) sessions may spawn cmd.exe or powershell.exe from sensor-related processes during analyst-initiated investigations
Vendor-provided health check or diagnostic utilities may temporarily access AV/EDR processes during troubleshooting

Last updated: 2026-04-19 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1211 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exploitation for Defense Evasion

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections