Detect Disable or Modify Tools in Google Chronicle
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain kernel access (BYOVD), abuse the Windows TTD monitor driver to debug and suspend EDR processes, or unhook userland DLLs to bypass security tool instrumentation.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.001 Disable or Modify Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1562/001/
YARA-L Detection Query
rule t1562_001_disable_security_tools {
meta:
author = "Argus Detection Platform"
description = "Detects attempts to disable or modify security tools including AV/EDR services, processes, and Defender policies (T1562.001)"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1562.001"
severity = "HIGH"
confidence = "HIGH"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
// Service control against security services
(
re.regex($e.principal.process.file.full_path, `(?i)(\\sc\.exe|\\net\.exe|\\net1\.exe)$`)
and re.regex($e.target.process.command_line, `(?i)(stop|delete|config)`)
and re.regex($e.target.process.command_line, `(?i)(windefend|sense|msmpsvc|wdnissvc|securityhealth|wscsvc|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient)`)
)
or
// Taskkill targeting security tool processes
(
re.regex($e.principal.process.file.full_path, `(?i)\\taskkill\.exe$`)
and re.regex($e.target.process.command_line, `(?i)(msmpeng|mssense|csfalcon|cylancesvc|cbdefense|sentinelagent|taniumclient|securityhealth|sentinelservicehost|tmabc|coreserviceshell)`)
)
or
// PowerShell Defender policy modification
(
re.regex($e.principal.process.file.full_path, `(?i)(\\powershell\.exe|\\pwsh\.exe)$`)
and re.regex($e.target.process.command_line, `(?i)(set-mppreference|add-mppreference)`)
and re.regex($e.target.process.command_line, `(?i)(disablerealtimemonitoring|disablebehaviormonitoring|disableioavprotection|disablescriptscanning|exclusionpath|exclusionprocess|disableblockatfirstseen|disableantispyware)`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting security tool tampering events by correlating UDM process launch events for service control commands, forced process termination, and PowerShell-based Windows Defender policy modifications targeting known AV/EDR products (T1562.001).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise AV/EDR management consoles performing remote service restarts or configuration changes as part of normal operations
- Security operations runbooks that automate Defender exclusion management for specific application directories after change approval
- IT automation platforms deploying new endpoint agents that must first decommission the existing agent before installation
Other platforms for T1562.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop Windows Defender via sc.exe
Expected signal: Sysmon Event ID 1: sc.exe with CommandLine containing 'stop WinDefend'. System Event ID 7036: WinDefend service entered stopped state. System Event ID 7040: WinDefend start type changed to disabled.
- Test 2Add Defender Exclusion for C: Drive
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Add-MpPreference -ExclusionPath'. Sysmon Event ID 13: Registry value set under HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths. PowerShell ScriptBlock Log Event ID 4104. Defender Event ID 5007 (config changed).
- Test 3Kill Security Process with taskkill
Expected signal: Sysmon Event ID 1: taskkill.exe with CommandLine containing '/f /im MsMpEng.exe'. The kill will likely fail due to tamper protection, but the process creation event fires regardless.
- Test 4Disable Defender Real-Time Protection via Registry
Expected signal: Sysmon Event ID 1: reg.exe with CommandLine containing DisableRealtimeMonitoring. Sysmon Event ID 13: Registry value set. Defender Event ID 5001: Real-time protection disabled.
References (7)
- https://attack.mitre.org/techniques/T1562/001/
- https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/
- https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
- https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1562.001 including response playbook, investigation guide, and atomic red team tests.