T1562.001

Disable or Modify Tools

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain kernel access (BYOVD), abuse the Windows TTD monitor driver to debug and suspend EDR processes, or unhook userland DLLs to bypass security tool instrumentation.

Microsoft Sentinel / Defender

kusto

let SecurityProcesses = dynamic(["MsMpEng.exe", "MsSense.exe", "SenseCncProxy.exe", "SenseIR.exe", "SenseSampleUploader.exe", "SecurityHealthService.exe", "SecurityHealthSystray.exe", "csfalconservice.exe", "csfalconcontainer.exe", "CylanceSvc.exe", "cb.exe", "CbDefense.exe", "SentinelAgent.exe", "SentinelServiceHost.exe", "taniumclient.exe", "TmCCSF.exe", "coreServiceShell.exe"]);
let SecurityServices = dynamic(["WinDefend", "Sense", "MsMpSvc", "WdNisSvc", "SecurityHealthService", "wscsvc", "CrowdStrike", "CylanceSvc", "CbDefense", "SentinelAgent"]);
let SuspiciousActions = dynamic(["sc stop", "sc delete", "sc config", "net stop", "taskkill /f /im", "Set-MpPreference -DisableRealtimeMonitoring", "Set-MpPreference -DisableBehaviorMonitoring", "Set-MpPreference -DisableIOAVProtection", "Set-MpPreference -DisableScriptScanning", "Add-MpPreference -ExclusionPath", "Add-MpPreference -ExclusionProcess", "Set-MpPreference -DisableBlockAtFirstSeen", "DisableAntiSpyware", "SystemSettingsAdminFlows.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SuspiciousActions)
   or (FileName =~ "taskkill.exe" and ProcessCommandLine has_any (SecurityProcesses))
   or (FileName in~ ("sc.exe", "net.exe", "net1.exe") and ProcessCommandLine has_any (SecurityServices))
| extend TargetTool = case(
    ProcessCommandLine has_any ("WinDefend", "MsMpEng", "MsSense", "Sense", "Defender"), "Windows Defender/MDE",
    ProcessCommandLine has_any ("CrowdStrike", "csfalcon"), "CrowdStrike Falcon",
    ProcessCommandLine has_any ("Cylance"), "Cylance",
    ProcessCommandLine has_any ("Carbon", "CbDefense", "cb.exe"), "Carbon Black",
    ProcessCommandLine has_any ("Sentinel"), "SentinelOne",
    ProcessCommandLine has_any ("Tanium", "taniumclient"), "Tanium",
    ProcessCommandLine has_any ("ExclusionPath", "ExclusionProcess"), "Defender Exclusion",
    "Other/Unknown")
| extend ActionType2 = case(
    ProcessCommandLine has "taskkill", "Process Kill",
    ProcessCommandLine has "sc stop" or ProcessCommandLine has "net stop", "Service Stop",
    ProcessCommandLine has "sc delete", "Service Delete",
    ProcessCommandLine has "sc config", "Service Reconfigure",
    ProcessCommandLine has "MpPreference", "Defender Policy Change",
    ProcessCommandLine has "Exclusion", "Exclusion Added",
    "Other")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, TargetTool, ActionType2
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Service: Service Metadata Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators performing planned security tool maintenance, upgrades, or migrations with corresponding change tickets
Endpoint management tools (SCCM, Intune) deploying Defender exclusion policies for legitimate applications
Security tool uninstallation during agent version upgrades or vendor transitions
Automated remediation scripts that restart security services after patching

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval ServiceKill=if(match(CommandLine, "(sc\s+(stop|delete|config)|net\s+stop|net1\s+stop).*(windefend|sense|msmpsvc|wdnissvc|securityhealth|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient)"), 1, 0)
| eval ProcessKill=if(match(CommandLine, "taskkill.*(msmpeng|mssense|csfalcon|cylancesvc|cbdefense|sentinelagent|taniumclient|securityhealth)"), 1, 0)
| eval DefenderModify=if(match(CommandLine, "(set-mppreference|add-mppreference).*(disable|exclusion)"), 1, 0)
| eval AntiSpyware=if(match(CommandLine, "disableantispyware.*1"), 1, 0)
| eval SuspicionScore=ServiceKill + ProcessKill + DefenderModify + AntiSpyware
| where SuspicionScore > 0
| eval TargetTool=case(
    match(CommandLine, "(windefend|msmpeng|mssense|sense|defender)"), "Windows Defender/MDE",
    match(CommandLine, "(crowdstrike|csfalcon)"), "CrowdStrike Falcon",
    match(CommandLine, "cylance"), "Cylance",
    match(CommandLine, "(carbon|cbdefense)"), "Carbon Black",
    match(CommandLine, "sentinel"), "SentinelOne",
    match(CommandLine, "tanium"), "Tanium",
    true(), "Other/Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetTool, ServiceKill, ProcessKill, DefenderModify, AntiSpyware, SuspicionScore
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators performing planned security tool maintenance, upgrades, or migrations with corresponding change tickets
Endpoint management tools (SCCM, Intune) deploying Defender exclusion policies for legitimate applications
Security tool uninstallation during agent version upgrades or vendor transitions
Automated remediation scripts that restart security services after patching

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "EventID",
  "CommandLine",
  "ParentImage",
  "Image",
  CASE
    WHEN LOWER("CommandLine") MATCHES '(windefend|msmpeng|mssense|sense|defender)' THEN 'Windows Defender/MDE'
    WHEN LOWER("CommandLine") MATCHES '(crowdstrike|csfalcon)' THEN 'CrowdStrike Falcon'
    WHEN LOWER("CommandLine") MATCHES 'cylance' THEN 'Cylance'
    WHEN LOWER("CommandLine") MATCHES '(carbon|cbdefense)' THEN 'Carbon Black'
    WHEN LOWER("CommandLine") MATCHES 'sentinel' THEN 'SentinelOne'
    WHEN LOWER("CommandLine") MATCHES 'tanium' THEN 'Tanium'
    ELSE 'Other/Unknown'
  END AS target_tool,
  CASE
    WHEN LOWER("CommandLine") MATCHES 'taskkill' THEN 'Process Kill'
    WHEN LOWER("CommandLine") MATCHES '(sc stop|net stop)' THEN 'Service Stop'
    WHEN LOWER("CommandLine") MATCHES 'sc delete' THEN 'Service Delete'
    WHEN LOWER("CommandLine") MATCHES 'sc config' THEN 'Service Reconfigure'
    WHEN LOWER("CommandLine") MATCHES 'mppreference' THEN 'Defender Policy Change'
    WHEN LOWER("CommandLine") MATCHES 'exclusion' THEN 'Exclusion Added'
    ELSE 'Other'
  END AS action_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND "EventID" IN (1, 4688)
  AND (
    /* Service operations against security tools */
    (
      LOWER("Image") MATCHES '(sc\.exe|net\.exe|net1\.exe)'
      AND LOWER("CommandLine") MATCHES '(stop|delete|config)'
      AND LOWER("CommandLine") MATCHES '(windefend|sense|msmpsvc|wdnissvc|securityhealth|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient)'
    ) OR
    /* Process kill targeting security tool executables */
    (
      LOWER("Image") MATCHES 'taskkill\.exe'
      AND LOWER("CommandLine") MATCHES '(msmpeng|mssense|csfalcon|cylancesvc|cbdefense|sentinelagent|taniumclient|securityhealth|sentinelservicehost)'
    ) OR
    /* PowerShell Defender policy modifications */
    (
      LOWER("Image") MATCHES '(powershell\.exe|pwsh\.exe)'
      AND LOWER("CommandLine") MATCHES '(set-mppreference|add-mppreference)'
      AND LOWER("CommandLine") MATCHES '(disable|exclusion)'
    ) OR
    /* Direct registry disable via reg.exe */
    (
      LOWER("CommandLine") MATCHES 'disableantispyware.*1'
    )
  )
  AND DATEFORMAT(starttime, 'YYYY-MM-dd') >= DATEADD('day', -1, CURRENT_DATE)
ORDER BY starttime DESC
LIMIT 500

high severity high confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via Windows log source QRadar Windows DSM

Required Tables

events

False Positives

Authorized IT change management activities such as AV product migrations or version upgrades initiated from known administrative hosts
Vulnerability management or compliance scanning tools that enumerate or modify security configurations as part of authorized assessments
Group Policy or MDM-based security configuration management that adjusts Defender exclusions for application compatibility

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "EventID=*" as event_id nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "Image=*" as image nodrop
| parse "ParentImage=*" as parent_image nodrop
| parse "User=*" as user nodrop
| parse "Computer=*" as host nodrop
| where event_id in ("1", "4688")
| where (
    /* Service stop/delete/config against security services */
    (toLowerCase(image) matches "*sc.exe*" OR toLowerCase(image) matches "*net.exe*" OR toLowerCase(image) matches "*net1.exe*")
    AND (
      toLowerCase(command_line) matches "*(stop|delete|config)*"
      AND (toLowerCase(command_line) matches "*windefend*" OR toLowerCase(command_line) matches "*sense*"
           OR toLowerCase(command_line) matches "*msmpsvc*" OR toLowerCase(command_line) matches "*wdnissvc*"
           OR toLowerCase(command_line) matches "*securityhealth*" OR toLowerCase(command_line) matches "*crowdstrike*"
           OR toLowerCase(command_line) matches "*csfalcon*" OR toLowerCase(command_line) matches "*cylance*"
           OR toLowerCase(command_line) matches "*cbdefense*" OR toLowerCase(command_line) matches "*sentinelagent*"
           OR toLowerCase(command_line) matches "*taniumclient*")
    )
  ) OR (
    /* Taskkill targeting security processes */
    toLowerCase(image) matches "*taskkill.exe*"
    AND (
      toLowerCase(command_line) matches "*msmpeng*" OR toLowerCase(command_line) matches "*mssense*"
      OR toLowerCase(command_line) matches "*csfalcon*" OR toLowerCase(command_line) matches "*cylancesvc*"
      OR toLowerCase(command_line) matches "*cbdefense*" OR toLowerCase(command_line) matches "*sentinelagent*"
      OR toLowerCase(command_line) matches "*taniumclient*" OR toLowerCase(command_line) matches "*securityhealth*"
    )
  ) OR (
    /* PowerShell Defender modifications */
    (toLowerCase(image) matches "*powershell.exe*" OR toLowerCase(image) matches "*pwsh.exe*")
    AND (toLowerCase(command_line) matches "*set-mppreference*" OR toLowerCase(command_line) matches "*add-mppreference*")
    AND (toLowerCase(command_line) matches "*disable*" OR toLowerCase(command_line) matches "*exclusion*")
  ) OR (
    toLowerCase(command_line) matches "*disableantispyware*1*"
  )
| eval target_tool = if(toLowerCase(command_line) matches "*(windefend|msmpeng|mssense|sense|defender)*", "Windows Defender/MDE",
    if(toLowerCase(command_line) matches "*(crowdstrike|csfalcon)*", "CrowdStrike Falcon",
    if(toLowerCase(command_line) matches "*cylance*", "Cylance",
    if(toLowerCase(command_line) matches "*(carbon|cbdefense)*", "Carbon Black",
    if(toLowerCase(command_line) matches "*sentinel*", "SentinelOne",
    if(toLowerCase(command_line) matches "*tanium*", "Tanium", "Other/Unknown"))))))
| eval action_type = if(toLowerCase(command_line) matches "*taskkill*", "Process Kill",
    if(toLowerCase(command_line) matches "*(sc stop|net stop)*", "Service Stop",
    if(toLowerCase(command_line) matches "*sc delete*", "Service Delete",
    if(toLowerCase(command_line) matches "*sc config*", "Service Reconfigure",
    if(toLowerCase(command_line) matches "*mppreference*", "Defender Policy Change",
    if(toLowerCase(command_line) matches "*exclusion*", "Exclusion Added", "Other"))))))
| fields _messageTime, host, user, image, command_line, parent_image, target_tool, action_type
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon for Windows (Event ID 1) Windows Security Event Log (Event ID 4688) Sumo Logic Windows Collection Agent

Required Tables

windows/sysmon windows/security

False Positives

Security product migration projects where one AV/EDR vendor is being replaced with another, requiring legitimate service stop and uninstall operations
Automated patch management platforms that temporarily disable real-time scanning before applying OS patches to reduce false positives
Incident response tooling that adjusts Defender exclusions to allow forensic collection agents to run without interference

Google Chronicle / SecOps

yaral

rule t1562_001_disable_security_tools {
  meta:
    author = "Argus Detection Platform"
    description = "Detects attempts to disable or modify security tools including AV/EDR services, processes, and Defender policies (T1562.001)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.001"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    (
      // Service control against security services
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\sc\.exe|\\net\.exe|\\net1\.exe)$`)
        and re.regex($e.target.process.command_line, `(?i)(stop|delete|config)`)
        and re.regex($e.target.process.command_line, `(?i)(windefend|sense|msmpsvc|wdnissvc|securityhealth|wscsvc|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient)`)
      )
      or
      // Taskkill targeting security tool processes
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\taskkill\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(msmpeng|mssense|csfalcon|cylancesvc|cbdefense|sentinelagent|taniumclient|securityhealth|sentinelservicehost|tmabc|coreserviceshell)`)
      )
      or
      // PowerShell Defender policy modification
      (
        re.regex($e.principal.process.file.full_path, `(?i)(\\powershell\.exe|\\pwsh\.exe)$`)
        and re.regex($e.target.process.command_line, `(?i)(set-mppreference|add-mppreference)`)
        and re.regex($e.target.process.command_line, `(?i)(disablerealtimemonitoring|disablebehaviormonitoring|disableioavprotection|disablescriptscanning|exclusionpath|exclusionprocess|disableblockatfirstseen|disableantispyware)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint Detection (via Chronicle forwarder) Sysmon ingested via Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate enterprise AV/EDR management consoles performing remote service restarts or configuration changes as part of normal operations
Security operations runbooks that automate Defender exclusion management for specific application directories after change approval
IT automation platforms deploying new endpoint agents that must first decommission the existing agent before installation

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(sc\.exe|net\.exe|net1\.exe|taskkill\.exe|powershell\.exe|pwsh\.exe)$/
| CommandLine = /(?i)(sc\s+(stop|delete|config)|net\s+stop|net1\s+stop|taskkill.*\/f|set-mppreference|add-mppreference)/
| CommandLine = /(?i)(windefend|sense|msmpsvc|wdnissvc|securityhealth|wscsvc|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient|msmpeng|mssense|sentinelservicehost|disable|exclusionpath|exclusionprocess|disableantispyware)/
| eval TargetTool = case(
    CommandLine = /(?i)(windefend|msmpeng|mssense|sense|defender)/, "Windows Defender/MDE",
    CommandLine = /(?i)(crowdstrike|csfalcon)/, "CrowdStrike Falcon",
    CommandLine = /(?i)cylance/, "Cylance",
    CommandLine = /(?i)(carbon|cbdefense)/, "Carbon Black",
    CommandLine = /(?i)sentinel/, "SentinelOne",
    CommandLine = /(?i)tanium/, "Tanium",
    "Other/Unknown")
| eval ActionType = case(
    CommandLine = /(?i)taskkill/, "Process Kill",
    CommandLine = /(?i)(sc\s+stop|net\s+stop)/, "Service Stop",
    CommandLine = /(?i)sc\s+delete/, "Service Delete",
    CommandLine = /(?i)sc\s+config/, "Service Reconfigure",
    CommandLine = /(?i)(set-mppreference|add-mppreference)/, "Defender Policy Change",
    CommandLine = /(?i)exclusion/, "Exclusion Added",
    "Other")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, TargetTool, ActionType])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Detection Falcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2

False Positives

Falcon sensor upgrades or configuration changes pushed by the CrowdStrike console that involve service restarts on managed endpoints
Third-party ITSM integrations that automate exclusion management via PowerShell as part of approved application onboarding workflows
Enterprise software packaging tools that disable AV scanning temporarily during MSI installation to prevent false detection of installation artifacts

Last updated: 2026-04-21 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1562.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Disable or Modify Tools

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections