T1562.001 Elastic Security · Elastic

Detect Disable or Modify Tools in Elastic Security

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain kernel access (BYOVD), abuse the Windows TTD monitor driver to debug and suspend EDR processes, or unhook userland DLLs to bypass security tool instrumentation.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.001 Disable or Modify Tools
Canonical reference
https://attack.mitre.org/techniques/T1562/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  /* Service stop/delete/config via sc.exe or net.exe */
  (
    process.name in~ ("sc.exe", "net.exe", "net1.exe") and
    process.args : ("stop", "delete", "config") and
    process.command_line : ("*WinDefend*", "*Sense*", "*MsMpSvc*", "*WdNisSvc*", "*SecurityHealthService*", "*wscsvc*", "*CrowdStrike*", "*csfalcon*", "*CylanceSvc*", "*CbDefense*", "*SentinelAgent*", "*taniumclient*")
  ) or
  /* Process kill via taskkill targeting security tools */
  (
    process.name : "taskkill.exe" and
    process.command_line : ("*MsMpEng*", "*MsSense*", "*csfalcon*", "*CylanceSvc*", "*CbDefense*", "*SentinelAgent*", "*taniumclient*", "*SecurityHealthService*", "*SentinelServiceHost*")
  ) or
  /* Defender policy modification via PowerShell */
  (
    process.name : ("powershell.exe", "pwsh.exe") and
    process.command_line : ("*Set-MpPreference*DisableRealtimeMonitoring*", "*Set-MpPreference*DisableBehaviorMonitoring*", "*Set-MpPreference*DisableIOAVProtection*", "*Set-MpPreference*DisableScriptScanning*", "*Add-MpPreference*ExclusionPath*", "*Add-MpPreference*ExclusionProcess*", "*Set-MpPreference*DisableBlockAtFirstSeen*", "*DisableAntiSpyware*")
  )
)
high severity high confidence

Detects attempts to disable or modify security tools on Windows endpoints by monitoring for service stop/delete/config operations targeting known EDR/AV services, process kill commands targeting security tool processes, and PowerShell-based Windows Defender policy modifications (T1562.001).

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonElastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Legitimate IT administrators performing scheduled maintenance, software upgrades, or uninstalling AV products during planned change windows
  • Security operations teams running authorized red team or penetration testing exercises that simulate adversary behavior
  • Enterprise software deployment tools (SCCM, Ansible, Puppet) that manage AV/EDR configurations as part of policy enforcement
Download portable Sigma rule (.yml)

Other platforms for T1562.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender via sc.exe

    Expected signal: Sysmon Event ID 1: sc.exe with CommandLine containing 'stop WinDefend'. System Event ID 7036: WinDefend service entered stopped state. System Event ID 7040: WinDefend start type changed to disabled.

  2. Test 2Add Defender Exclusion for C: Drive

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Add-MpPreference -ExclusionPath'. Sysmon Event ID 13: Registry value set under HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths. PowerShell ScriptBlock Log Event ID 4104. Defender Event ID 5007 (config changed).

  3. Test 3Kill Security Process with taskkill

    Expected signal: Sysmon Event ID 1: taskkill.exe with CommandLine containing '/f /im MsMpEng.exe'. The kill will likely fail due to tamper protection, but the process creation event fires regardless.

  4. Test 4Disable Defender Real-Time Protection via Registry

    Expected signal: Sysmon Event ID 1: reg.exe with CommandLine containing DisableRealtimeMonitoring. Sysmon Event ID 13: Registry value set. Defender Event ID 5001: Real-time protection disabled.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.006Indicator BlockingT1562.002Disable Windows Event LoggingT1543.003Windows ServiceT1112Modify RegistryT1068Exploitation for Privilege EscalationT1564.012File/Path ExclusionsT1070.001Clear Windows Event Logs

Same Tactic: Defense Evasion

Popular Detections