T1562 Impair Defenses Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SecurityServiceNames = dynamic(["WinDefend", "MsMpSvc", "Sense", "WdNisSvc", "WdNisDrv", "WdFilter", "WdBoot", "SecurityHealthService", "wscsvc", "EventLog", "MpsSvc"]);
let SuspiciousCommands = dynamic(["sc stop", "sc config", "net stop", "taskkill", "Set-MpPreference", "DisableRealtimeMonitoring", "DisableBehaviorMonitoring", "Remove-MpPreference", "auditpol /clear", "auditpol /set", "wevtutil cl", "bcdedit /set", "netsh advfirewall set"]);
union DeviceProcessEvents, DeviceRegistryEvents
| where Timestamp > ago(24h)
| extend CommandLine = coalesce(ProcessCommandLine, "")
| where CommandLine has_any (SuspiciousCommands)
   or (ActionType == "RegistryValueSet" and RegistryKey has_any ("WinDefend", "EventLog", "SecurityHealth", "MpsSvc"))
| extend StoppedService = extract(@"(?:sc\s+(?:stop|config)|net\s+stop)\s+([\w]+)", 1, CommandLine)
| extend IsSecurityService = StoppedService in (SecurityServiceNames)
| project Timestamp, DeviceName, AccountName, ActionType, CommandLine, RegistryKey, RegistryValueName, RegistryValueData, StoppedService, IsSecurityService
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

IT administrators performing legitimate maintenance or reconfiguration of security tools during planned change windows
Endpoint management tools (SCCM, Intune, GPO) updating Defender exclusions or policies
Security tool upgrades that temporarily stop and restart services

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:System" EventCode IN (7036, 7040, 7045)) OR (sourcetype="WinEventLog:Security" EventCode IN (1102, 4719))
| eval action=case(
    EventCode==1 AND match(CommandLine, "(?i)(sc\s+(stop|config)|net\s+stop|taskkill).*(WinDefend|Sense|MsMpSvc|SecurityHealth|EventLog|MpsSvc)"), "service_tampering",
    EventCode==1 AND match(CommandLine, "(?i)(auditpol\s+/(clear|set)|wevtutil\s+cl)"), "log_tampering",
    EventCode==1 AND match(CommandLine, "(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring)"), "defender_modification",
    EventCode==1 AND match(CommandLine, "(?i)(bcdedit\s+/set\s+.*safeboot|netsh\s+advfirewall)"), "boot_or_firewall",
    EventCode==1102, "log_cleared",
    EventCode==4719, "audit_policy_changed",
    EventCode==7036 OR EventCode==7040, "service_state_change",
    true(), null())
| where isnotnull(action)
| table _time, host, User, EventCode, action, CommandLine, Message
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Windows Event Log: System Windows Event Log: Security Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:System WinEventLog:Security

False Positives

IT administrators performing legitimate maintenance or reconfiguration of security tools during planned change windows
Endpoint management tools (SCCM, Intune, GPO) updating Defender exclusions or policies
Security tool upgrades that temporarily stop and restart services

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "process" and event.type == "start" and
    (
      process.command_line regex~ "(?i)(sc\s+(stop|config)|net\s+stop|taskkill).*?(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|wscsvc|WdNisSvc)"
      or process.command_line regex~ "(?i)(auditpol\s+/(clear|set)|wevtutil\s+cl\s)"
      or process.command_line regex~ "(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)"
      or process.command_line regex~ "(?i)(bcdedit\s+/set\s+.{0,30}safeboot|netsh\s+advfirewall\s+set)"
      or process.command_line regex~ "(?i)taskkill.{0,50}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)"
    )
  )
  or
  (
    event.category == "registry" and event.type in ("change", "creation") and
    registry.path regex~ "(?i).*?(WinDefend|EventLog|SecurityHealth|MpsSvc|MsMpSvc).*"
  )
  or
  (
    event.category == "process" and event.type == "start" and
    winlog.event_id in ("1102", "4719")
  )
)

high severity high confidence

Data Sources

Windows Endpoint Logs Sysmon Elastic Endpoint Security Windows Security Event Log

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

Legitimate IT administrators performing planned maintenance on endpoint security tools or Group Policy updates that modify Defender settings
Enterprise software deployment systems (SCCM, Ansible, Chef) that stop/restart security services during upgrades or configuration management runs
Security team red team exercises or authorized penetration testing activities targeting defensive controls
Backup and recovery tools that temporarily disable real-time monitoring to improve performance during large backup operations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "CommandLine",
  "Message",
  LOGSOURCENAME(logsourceid) AS log_source,
  qid
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      qid IN (5002050, 5002051, 5002052)
      AND (
        LOWER("CommandLine") IMATCHES '(?s).*(sc\s+(stop|config)|net\s+stop|taskkill).*(windefend|sense|msmpsvc|securityhealth|eventlog|mpsvc|wdnissvc).*'
        OR LOWER("CommandLine") IMATCHES '(?s).*(auditpol\s+/(clear|set)|wevtutil\s+cl).*'
        OR LOWER("CommandLine") IMATCHES '(?s).*(set-mppreference|disablerealtimemonitoring|disablebehaviormonitoring|remove-mppreference).*'
        OR LOWER("CommandLine") IMATCHES '(?s).*(bcdedit\s+/set.{0,30}safeboot|netsh\s+advfirewall\s+set).*'
        OR LOWER("CommandLine") IMATCHES '(?s).*taskkill.{0,50}(msmpeng|nissrv|securityhealth|mpcmdrun).*'
      )
    )
    OR
    (
      qid = 5002101
    )
    OR
    (
      "EventID" IN ('1102', '4719', '7036', '7040')
    )
  )
ORDER BY starttime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Microsoft Windows Sysmon Microsoft Windows System Event Log

Required Tables

events

False Positives

Scheduled endpoint management tasks by IT ops teams that reconfigure or restart security services during maintenance windows
Antivirus or EDR software update processes that temporarily disable protection modules before re-enabling updated versions
SIEM or SOAR automation playbooks that query or modify audit policies as part of incident response procedures

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=windows/system
| where EventCode in ("1", "1102", "4688", "4719", "7036", "7040", "7045")
| eval action = if(
    (EventCode in ("1", "4688")) and
    matches(CommandLine, "(?i)(sc\s+(stop|config)|net\s+stop|taskkill).*(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|WdNisSvc)"),
    "security_service_tampering",
    if(
      (EventCode in ("1", "4688")) and
      matches(CommandLine, "(?i)(auditpol\s+/(clear|set)|wevtutil\s+cl\s)"),
      "log_tampering",
      if(
        (EventCode in ("1", "4688")) and
        matches(CommandLine, "(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)"),
        "defender_modification",
        if(
          (EventCode in ("1", "4688")) and
          matches(CommandLine, "(?i)(bcdedit\s+/set.{0,30}safeboot|netsh\s+advfirewall\s+set)"),
          "boot_or_firewall_tampering",
          if(EventCode == "1102", "audit_log_cleared",
            if(EventCode == "4719", "audit_policy_changed",
              if(EventCode in ("7036", "7040"), "service_state_change", null)
            )
          )
        )
      )
    )
  )
| where !isNull(action)
| fields _messageTime, host, User, EventCode, action, CommandLine, Message
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log Windows System Event Log Sysmon Operational Log

Required Tables

windows/sysmon windows/security windows/system

False Positives

Windows Defender platform updates initiated by Microsoft Update that temporarily modify service state and Defender configuration settings
IT asset management or vulnerability scanning tools that query or temporarily alter audit policies to perform privileged scans
Group Policy application during machine startup or refresh cycles that alters firewall rules via netsh or service configurations

Google Chronicle / SecOps

yaral

rule t1562_impair_defenses {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562 Impair Defenses - adversaries modifying or disabling security tools, audit logging, and defensive mechanisms"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|WdNisSvc)`)
        or re.regex($e.target.process.command_line, `(?i)(auditpol\s+/(clear|set)|wevtutil\s+cl\s)`)
        or re.regex($e.target.process.command_line, `(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)`)
        or re.regex($e.target.process.command_line, `(?i)(bcdedit\s+/set.{0,40}safeboot|netsh\s+advfirewall\s+set)`)
        or re.regex($e.target.process.command_line, `(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)`)
      )
    )
    or
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e.target.registry.registry_key, `(?i).*(WinDefend|EventLog|SecurityHealth|MpsSvc|MsMpSvc).*`)
      )
    )
    or
    (
      $e.metadata.event_type = "USER_RESOURCE_ACCESS"
      and $e.metadata.product_event_type = "1102"
    )
    or
    (
      $e.metadata.event_type = "AUDIT_LOG_UPDATED"
      and $e.metadata.product_event_type = "4719"
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Event Forwarding to Chronicle Endpoint Detection (EDR)

Required Tables

UDM Events (process_launch, registry_modification, audit_log_updated, user_resource_access)

False Positives

Authorized enterprise security tooling updates performed by security vendors that temporarily disable Defender components or modify audit policies
System administrators running scripted hardening or compliance baseline tools that configure audit policies and firewall rules
Cloud provisioning automation (Terraform, Ansible) that configures Windows Firewall rules or disables services before applying custom security configurations

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| CommandLine = /(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|WdNisSvc)/
  OR CommandLine = /(?i)(auditpol\s+\/(clear|set)|wevtutil\s+cl\s)/
  OR CommandLine = /(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)/
  OR CommandLine = /(?i)(bcdedit\s+\/set.{0,40}safeboot|netsh\s+advfirewall\s+set)/
  OR CommandLine = /(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)/
| eval action = case(
    CommandLine = /(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|EventLog|MpsSvc)/,
    "security_service_tampering",
    CommandLine = /(?i)(auditpol\s+\/(clear|set)|wevtutil\s+cl\s)/,
    "log_tampering",
    CommandLine = /(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)/,
    "defender_modification",
    CommandLine = /(?i)(bcdedit\s+\/set.{0,40}safeboot|netsh\s+advfirewall\s+set)/,
    "boot_or_firewall_tampering",
    CommandLine = /(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)/,
    "defender_process_kill",
    true(), "unknown_impair_defenses"
  )
| table(["@timestamp", "ComputerName", "UserName", "FileName", "CommandLine", "ParentBaseFileName", "action", "TargetProcessId", "ContextProcessId"])
| sort(field="@timestamp", order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike Falcon Data Replicator

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

IT administrators or endpoint management platforms (SCCM, Intune) running scripted maintenance tasks that stop and restart Windows security services during patch cycles
CrowdStrike Falcon sensor updates or configuration changes that transiently alter Defender coexistence settings or service states
Automated security baseline tools (CIS-CAT, SCAP scanners) that audit or modify audit policies and Windows Firewall settings as part of compliance assessments

Impair Defenses

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (12)

Same Tactic: Defense Evasion

Popular Detections