Which SIEM platforms have a T1562 detection rule?

df00tech provides T1562 (Impair Defenses) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1562 detection?

The T1562 detection is rated high severity with medium confidence.

What are common false positives for T1562?

Common false positives for T1562 include: IT administrators performing legitimate maintenance or reconfiguration of security tools during planned change windows; Endpoint management tools (SCCM, Intune, GPO) updating Defender exclusions or policies; Security tool upgrades that temporarily stop and restart services.

T1562

Impair Defenses

Q: What data sources are required to detect Impair Defenses (T1562)?

Detecting Impair Defenses requires the following data sources: Process: Process Creation, Command: Command Execution, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint.

Defense Evasion Last updated: April 21, 2026

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process.

What is T1562 Impair Defenses?

Impair Defenses (T1562) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Impair Defenses, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1562 Impair Defenses
Canonical reference: https://attack.mitre.org/techniques/T1562/

Microsoft Sentinel / Defender

kusto

let SecurityServiceNames = dynamic(["WinDefend", "MsMpSvc", "Sense", "WdNisSvc", "WdNisDrv", "WdFilter", "WdBoot", "SecurityHealthService", "wscsvc", "EventLog", "MpsSvc"]);
let SuspiciousCommands = dynamic(["sc stop", "sc config", "net stop", "taskkill", "Set-MpPreference", "DisableRealtimeMonitoring", "DisableBehaviorMonitoring", "Remove-MpPreference", "auditpol /clear", "auditpol /set", "wevtutil cl", "bcdedit /set", "netsh advfirewall set"]);
union DeviceProcessEvents, DeviceRegistryEvents
| where Timestamp > ago(24h)
| extend CommandLine = coalesce(ProcessCommandLine, "")
| where CommandLine has_any (SuspiciousCommands)
   or (ActionType == "RegistryValueSet" and RegistryKey has_any ("WinDefend", "EventLog", "SecurityHealth", "MpsSvc"))
| extend StoppedService = extract(@"(?:sc\s+(?:stop|config)|net\s+stop)\s+([\w]+)", 1, CommandLine)
| extend IsSecurityService = StoppedService in (SecurityServiceNames)
| project Timestamp, DeviceName, AccountName, ActionType, CommandLine, RegistryKey, RegistryValueName, RegistryValueData, StoppedService, IsSecurityService
| sort by Timestamp desc

Broad detection for defense impairment activities across Windows endpoints. Monitors for security service stopping, firewall modifications, event log clearing, audit policy changes, safe mode boot changes, and Defender preference modifications. Combines process creation and registry events for comprehensive coverage.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

IT administrators performing legitimate maintenance or reconfiguration of security tools during planned change windows
Endpoint management tools (SCCM, Intune, GPO) updating Defender exclusions or policies
Security tool upgrades that temporarily stop and restart services

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "process" and event.type == "start" and
    (
      process.command_line regex~ "(?i)(sc\s+(stop|config)|net\s+stop|taskkill).*?(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|wscsvc|WdNisSvc)"
      or process.command_line regex~ "(?i)(auditpol\s+/(clear|set)|wevtutil\s+cl\s)"
      or process.command_line regex~ "(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)"
      or process.command_line regex~ "(?i)(bcdedit\s+/set\s+.{0,30}safeboot|netsh\s+advfirewall\s+set)"
      or process.command_line regex~ "(?i)taskkill.{0,50}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)"
    )
  )
  or
  (
    event.category == "registry" and event.type in ("change", "creation") and
    registry.path regex~ "(?i).*?(WinDefend|EventLog|SecurityHealth|MpsSvc|MsMpSvc).*"
  )
  or
  (
    event.category == "process" and event.type == "start" and
    winlog.event_id in ("1102", "4719")
  )
)

Detects T1562 Impair Defenses activity including security service tampering via sc/net stop commands, Windows Defender modification via Set-MpPreference, audit log clearing via auditpol or wevtutil, firewall manipulation via netsh advfirewall, and boot configuration changes via bcdedit targeting safeboot modes. Covers process execution patterns and registry modifications to security service keys.

high severity high confidence

Data Sources

Windows Endpoint Logs Sysmon Elastic Endpoint Security Windows Security Event Log

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Legitimate IT administrators performing planned maintenance on endpoint security tools or Group Policy updates that modify Defender settings
Enterprise software deployment systems (SCCM, Ansible, Chef) that stop/restart security services during upgrades or configuration management runs
Security team red team exercises or authorized penetration testing activities targeting defensive controls
Backup and recovery tools that temporarily disable real-time monitoring to improve performance during large backup operations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "CommandLine",
  "Message",
  LOGSOURCENAME(logsourceid) AS log_source,
  qid
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      qid IN (5002050, 5002051, 5002052)
      AND (
        LOWER("CommandLine") IMATCHES '(?s).*(sc\s+(stop|config)|net\s+stop|taskkill).*(windefend|sense|msmpsvc|securityhealth|eventlog|mpsvc|wdnissvc).*'
        OR LOWER("CommandLine") IMATCHES '(?s).*(auditpol\s+/(clear|set)|wevtutil\s+cl).*'
        OR LOWER("CommandLine") IMATCHES '(?s).*(set-mppreference|disablerealtimemonitoring|disablebehaviormonitoring|remove-mppreference).*'
        OR LOWER("CommandLine") IMATCHES '(?s).*(bcdedit\s+/set.{0,30}safeboot|netsh\s+advfirewall\s+set).*'
        OR LOWER("CommandLine") IMATCHES '(?s).*taskkill.{0,50}(msmpeng|nissrv|securityhealth|mpcmdrun).*'
      )
    )
    OR
    (
      qid = 5002101
    )
    OR
    (
      "EventID" IN ('1102', '4719', '7036', '7040')
    )
  )
ORDER BY starttime DESC
LIMIT 1000

Detects T1562 Impair Defenses by correlating Windows process creation events (Sysmon EID 1 / Security EID 4688) showing security service stop commands, Defender configuration changes, audit policy tampering, log clearing events, and service state change events. Covers all major sub-techniques: service tampering, log tampering, Defender modification, and boot configuration changes.

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Microsoft Windows Sysmon Microsoft Windows System Event Log

Required Tables

events

False Positives

Scheduled endpoint management tasks by IT ops teams that reconfigure or restart security services during maintenance windows
Antivirus or EDR software update processes that temporarily disable protection modules before re-enabling updated versions
SIEM or SOAR automation playbooks that query or modify audit policies as part of incident response procedures

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=windows/system
| where EventCode in ("1", "1102", "4688", "4719", "7036", "7040", "7045")
| eval action = if(
    (EventCode in ("1", "4688")) and
    matches(CommandLine, "(?i)(sc\s+(stop|config)|net\s+stop|taskkill).*(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|WdNisSvc)"),
    "security_service_tampering",
    if(
      (EventCode in ("1", "4688")) and
      matches(CommandLine, "(?i)(auditpol\s+/(clear|set)|wevtutil\s+cl\s)"),
      "log_tampering",
      if(
        (EventCode in ("1", "4688")) and
        matches(CommandLine, "(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)"),
        "defender_modification",
        if(
          (EventCode in ("1", "4688")) and
          matches(CommandLine, "(?i)(bcdedit\s+/set.{0,30}safeboot|netsh\s+advfirewall\s+set)"),
          "boot_or_firewall_tampering",
          if(EventCode == "1102", "audit_log_cleared",
            if(EventCode == "4719", "audit_policy_changed",
              if(EventCode in ("7036", "7040"), "service_state_change", null)
            )
          )
        )
      )
    )
  )
| where !isNull(action)
| fields _messageTime, host, User, EventCode, action, CommandLine, Message
| sort by _messageTime desc

Detects T1562 Impair Defenses across multiple Windows event sources by correlating Sysmon process creation events (EID 1), Security process creation (EID 4688), audit log cleared (EID 1102), audit policy changes (EID 4719), and service state changes (EID 7036/7040). Classifies each event by attack sub-type: security service tampering, log tampering, Defender modification, boot/firewall tampering, and audit policy changes.

high severity high confidence

Data Sources

Windows Security Event Log Windows System Event Log Sysmon Operational Log

Required Tables

windows/sysmon windows/security windows/system

False Positives

Windows Defender platform updates initiated by Microsoft Update that temporarily modify service state and Defender configuration settings
IT asset management or vulnerability scanning tools that query or temporarily alter audit policies to perform privileged scans
Group Policy application during machine startup or refresh cycles that alters firewall rules via netsh or service configurations

Google Chronicle / SecOps

yaral

rule t1562_impair_defenses {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562 Impair Defenses - adversaries modifying or disabling security tools, audit logging, and defensive mechanisms"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|WdNisSvc)`)
        or re.regex($e.target.process.command_line, `(?i)(auditpol\s+/(clear|set)|wevtutil\s+cl\s)`)
        or re.regex($e.target.process.command_line, `(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)`)
        or re.regex($e.target.process.command_line, `(?i)(bcdedit\s+/set.{0,40}safeboot|netsh\s+advfirewall\s+set)`)
        or re.regex($e.target.process.command_line, `(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)`)
      )
    )
    or
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e.target.registry.registry_key, `(?i).*(WinDefend|EventLog|SecurityHealth|MpsSvc|MsMpSvc).*`)
      )
    )
    or
    (
      $e.metadata.event_type = "USER_RESOURCE_ACCESS"
      and $e.metadata.product_event_type = "1102"
    )
    or
    (
      $e.metadata.event_type = "AUDIT_LOG_UPDATED"
      and $e.metadata.product_event_type = "4719"
    )

  condition:
    $e
}

YARA-L 2.0 rule detecting T1562 Impair Defenses via process launch events matching security service stop commands, Defender modification commands, audit log tampering, and firewall manipulation. Also triggers on registry modifications to security service keys and Windows audit log cleared/policy changed events (EID 1102, 4719). Uses UDM process and registry event types.

high severity high confidence

Data Sources

Google Chronicle UDM Windows Event Forwarding to Chronicle Endpoint Detection (EDR)

Required Tables

UDM Events (process_launch, registry_modification, audit_log_updated, user_resource_access)

False Positives

Authorized enterprise security tooling updates performed by security vendors that temporarily disable Defender components or modify audit policies
System administrators running scripted hardening or compliance baseline tools that configure audit policies and firewall rules
Cloud provisioning automation (Terraform, Ansible) that configures Windows Firewall rules or disables services before applying custom security configurations

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| CommandLine = /(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|WdNisSvc)/
  OR CommandLine = /(?i)(auditpol\s+\/(clear|set)|wevtutil\s+cl\s)/
  OR CommandLine = /(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)/
  OR CommandLine = /(?i)(bcdedit\s+\/set.{0,40}safeboot|netsh\s+advfirewall\s+set)/
  OR CommandLine = /(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)/
| eval action = case(
    CommandLine = /(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|EventLog|MpsSvc)/,
    "security_service_tampering",
    CommandLine = /(?i)(auditpol\s+\/(clear|set)|wevtutil\s+cl\s)/,
    "log_tampering",
    CommandLine = /(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)/,
    "defender_modification",
    CommandLine = /(?i)(bcdedit\s+\/set.{0,40}safeboot|netsh\s+advfirewall\s+set)/,
    "boot_or_firewall_tampering",
    CommandLine = /(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)/,
    "defender_process_kill",
    true(), "unknown_impair_defenses"
  )
| table(["@timestamp", "ComputerName", "UserName", "FileName", "CommandLine", "ParentBaseFileName", "action", "TargetProcessId", "ContextProcessId"])
| sort(field="@timestamp", order=desc)

Detects T1562 Impair Defenses using CrowdStrike Falcon ProcessRollup2 events. Matches command lines targeting Windows security service stop/config operations, Defender real-time monitoring disablement, audit log clearing via auditpol and wevtutil, boot configuration safeboot changes via bcdedit, firewall manipulation via netsh advfirewall, and direct process termination of Defender components. Classifies each match into specific impairment sub-categories.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Data Replicator

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

IT administrators or endpoint management platforms (SCCM, Intune) running scripted maintenance tasks that stop and restart Windows security services during patch cycles
CrowdStrike Falcon sensor updates or configuration changes that transiently alter Defender coexistence settings or service states
Automated security baseline tools (CIS-CAT, SCAP scanners) that audit or modify audit policies and Windows Firewall settings as part of compliance assessments

Sigma rule & cross-platform mapping

The detection logic for Impair Defenses (T1562) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1562 Sigma rules on detection.fyi

Platform-specific guides for T1562

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-21 Research depth: deep

References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Stop Windows Defender Service
Expected signal: Sysmon Event ID 1: Process Create with CommandLine 'sc stop WinDefend'. System Event ID 7036: Windows Defender Antivirus Service entered the stopped state. Security Event ID 4688 if command line auditing enabled.
Test 2Clear Security Event Log
Expected signal: Security Event ID 1102: The audit log was cleared. Sysmon Event ID 1: Process Create with CommandLine 'wevtutil cl Security'.
Test 3Disable Audit Policy
Expected signal: Security Event ID 4719: System audit policy was changed. Sysmon Event ID 1: Process Create with CommandLine 'auditpol /clear /y'.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1562 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub

TA0005Defense Evasion

Sub-techniques (12)

Related Techniques

T1562.001Disable or Modify Tools T1562.002Disable Windows Event Logging T1562.004Disable or Modify System Firewall T1562.006Indicator Blocking T1562.009Safe Mode Boot T1070.001Clear Windows Event Logs T1112Modify Registry T1543.003Windows Service

Impair Defenses

What is T1562 Impair Defenses?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1562

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (12)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1562 Impair Defenses?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1562

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (12)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox