T1211 IBM QRadar · QRadar

Detect Exploitation for Defense Evasion in IBM QRadar

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them. Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. There have also been examples of vulnerabilities in public cloud infrastructure and SaaS applications that may bypass defense boundaries, evade security logs, or deploy hidden infrastructure.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1211 Exploitation for Defense Evasion
Canonical reference
https://attack.mitre.org/techniques/T1211/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Signal 1: Security process spawning suspicious child process (Sysmon EID 1)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "ProcessImage" AS child_process,
  "ProcessCommandLine" AS child_cmdline,
  "ParentProcessImage" AS parent_process,
  'SecuritySoftwareSpawnedSuspiciousChild' AS detection_signal
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12 -- Microsoft Windows Security Event Log (Sysmon)
  AND QIDNAME(qid) LIKE '%Sysmon%'
  AND "EventID" = '1'
  AND (LOWER("ParentProcessImage") LIKE '%msmpeng%'
    OR LOWER("ParentProcessImage") LIKE '%mssense%'
    OR LOWER("ParentProcessImage") LIKE '%sensecncproxy%'
    OR LOWER("ParentProcessImage") LIKE '%csagent%'
    OR LOWER("ParentProcessImage") LIKE '%csfalconservice%'
    OR LOWER("ParentProcessImage") LIKE '%sentinelagent%'
    OR LOWER("ParentProcessImage") LIKE '%cylancesvc%'
    OR LOWER("ParentProcessImage") LIKE '%cbdefense%'
    OR LOWER("ParentProcessImage") LIKE '%mbam%'
    OR LOWER("ParentProcessImage") LIKE '%sophosssp%'
    OR LOWER("ParentProcessImage") LIKE '%savservice%'
    OR LOWER("ParentProcessImage") LIKE '%avp.exe%'
    OR LOWER("ParentProcessImage") LIKE '%avgnt%'
    OR LOWER("ParentProcessImage") LIKE '%avastsvc%')
  AND (LOWER("ProcessImage") LIKE '%\cmd.exe'
    OR LOWER("ProcessImage") LIKE '%\powershell.exe'
    OR LOWER("ProcessImage") LIKE '%\pwsh.exe'
    OR LOWER("ProcessImage") LIKE '%\wscript.exe'
    OR LOWER("ProcessImage") LIKE '%\cscript.exe'
    OR LOWER("ProcessImage") LIKE '%\mshta.exe'
    OR LOWER("ProcessImage") LIKE '%\rundll32.exe'
    OR LOWER("ProcessImage") LIKE '%\regsvr32.exe'
    OR LOWER("ProcessImage") LIKE '%\certutil.exe'
    OR LOWER("ProcessImage") LIKE '%\bitsadmin.exe'
    OR LOWER("ProcessImage") LIKE '%\msiexec.exe'
    OR LOWER("ProcessImage") LIKE '%\wmic.exe')
  AND starttime > NOW() - 86400000
UNION
-- Signal 2: Non-system process accessing security process with elevated rights (Sysmon EID 10)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "TargetImage" AS child_process,
  "GrantedAccess" AS child_cmdline,
  "SourceImage" AS parent_process,
  'SuspiciousAccessToSecurityProcess' AS detection_signal
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12
  AND "EventID" = '10'
  AND (LOWER("TargetImage") LIKE '%msmpeng%'
    OR LOWER("TargetImage") LIKE '%mssense%'
    OR LOWER("TargetImage") LIKE '%csagent%'
    OR LOWER("TargetImage") LIKE '%sentinelagent%'
    OR LOWER("TargetImage") LIKE '%cylancesvc%'
    OR LOWER("TargetImage") LIKE '%avastsvc%')
  AND NOT (LOWER("SourceImage") LIKE '%svchost%'
    OR LOWER("SourceImage") LIKE '%lsass%'
    OR LOWER("SourceImage") LIKE '%csrss%'
    OR LOWER("SourceImage") LIKE '%werfault%')
  AND ("GrantedAccess" = '0x1F0FFF'
    OR "GrantedAccess" = '0x1F1FFF'
    OR "GrantedAccess" = '0x1fffff'
    OR "GrantedAccess" = '0x143A'
    OR "GrantedAccess" = '0x1410')
  AND starttime > NOW() - 86400000
UNION
-- Signal 3: Security service stopped or modified (System log EIDs 7034/7036/7045)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "ServiceName" AS child_process,
  "EventID" AS child_cmdline,
  '' AS parent_process,
  'SecurityServiceModifiedOrStopped' AS detection_signal
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12
  AND ("EventID" = '7034' OR "EventID" = '7036' OR "EventID" = '7045')
  AND (LOWER("ServiceName") LIKE '%sense%'
    OR LOWER("ServiceName") LIKE '%windefend%'
    OR LOWER("ServiceName") LIKE '%falcon%'
    OR LOWER("ServiceName") LIKE '%sentinelagent%'
    OR LOWER("ServiceName") LIKE '%cylancesvc%'
    OR LOWER("ServiceName") LIKE '%cbdefense%'
    OR LOWER("ServiceName") LIKE '%mbam%'
    OR LOWER("ServiceName") LIKE '%avast%')
  AND starttime > NOW() - 86400000
ORDER BY event_time DESC
critical severity high confidence

AQL query detecting T1211 defense evasion exploitation across three signals: security software spawning suspicious interpreter or LOLBin children (Sysmon EID 1), non-system processes opening security agent processes with PROCESS_ALL_ACCESS or similar elevated access masks (Sysmon EID 10), and security service unexpectedly stopped or newly installed (System log EIDs 7034/7036/7045).

Data Sources

Windows Sysmon (via QRadar WinCollect or DSM)Windows System Event LogQRadar Log Source Type: Microsoft Windows Security Event Log

Required Tables

events

False Positives & Tuning

  • Security product auto-updaters may legitimately spawn msiexec.exe or cmd.exe during patch cycles
  • SIEM or SOAR integrations that query security process state may open security processes with elevated handles
  • Scheduled maintenance scripts that restart AV services generate EID 7036 stop/start pairs
Download portable Sigma rule (.yml)

Other platforms for T1211

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Security Process Spawning Command Shell

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe (or the process running the test). Security Event ID 4688 if command line auditing is enabled. The detection signal 'SecuritySoftwareSpawnedSuspiciousChild' may not fire unless the initiating process name matches the security process list — use this test to validate the detection logic by temporarily adding 'powershell.exe' to the SecurityProcesses list in a test environment.

  2. Test 2Open Handle to Windows Defender Process (ProcessAccess Simulation)

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=C:\ProgramData\Microsoft\Windows Defender\Platform\<version>\MsMpEng.exe, GrantedAccess=0x0400. Note: Windows Defender is Protected Process Light (PPL) — the OpenProcess call may be denied, but Sysmon still logs the attempt with CallTrace data showing the call stack.

  3. Test 3Security Service State Query and Stop Simulation (Non-Destructive)

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'sc query WinDefend' and 'sc query Sense'. Security Event ID 4688 (if enabled). Sysmon Event ID 1 for wmic.exe with CommandLine containing 'service where name'. These are the same reconnaissance commands used by threat actors (including APT28 tooling) to identify security software before exploitation.

  4. Test 4Exploit Artifact Simulation — Security Service Crash via WerFault

    Expected signal: Sysmon Event ID 1: Process Create for werfault.exe with command line containing '-p 0'. Application Event Log queries via wevtutil generate additional Sysmon Event ID 1 entries for wevtutil.exe. The WerFault invocation with PID 0 will fail but the process creation telemetry is generated and matches patterns seen when security software is exploited and crashes.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1211 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1518.001Security Software DiscoveryT1562.001Disable or Modify ToolsT1562.004Disable or Modify System FirewallT1055Process InjectionT1574Hijack Execution FlowT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege Escalation

Same Tactic: Defense Evasion

Popular Detections