Detect Disable or Modify Tools in CrowdStrike LogScale
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain kernel access (BYOVD), abuse the Windows TTD monitor driver to debug and suspend EDR processes, or unhook userland DLLs to bypass security tool instrumentation.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.001 Disable or Modify Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1562/001/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(sc\.exe|net\.exe|net1\.exe|taskkill\.exe|powershell\.exe|pwsh\.exe)$/
| CommandLine = /(?i)(sc\s+(stop|delete|config)|net\s+stop|net1\s+stop|taskkill.*\/f|set-mppreference|add-mppreference)/
| CommandLine = /(?i)(windefend|sense|msmpsvc|wdnissvc|securityhealth|wscsvc|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient|msmpeng|mssense|sentinelservicehost|disable|exclusionpath|exclusionprocess|disableantispyware)/
| eval TargetTool = case(
CommandLine = /(?i)(windefend|msmpeng|mssense|sense|defender)/, "Windows Defender/MDE",
CommandLine = /(?i)(crowdstrike|csfalcon)/, "CrowdStrike Falcon",
CommandLine = /(?i)cylance/, "Cylance",
CommandLine = /(?i)(carbon|cbdefense)/, "Carbon Black",
CommandLine = /(?i)sentinel/, "SentinelOne",
CommandLine = /(?i)tanium/, "Tanium",
"Other/Unknown")
| eval ActionType = case(
CommandLine = /(?i)taskkill/, "Process Kill",
CommandLine = /(?i)(sc\s+stop|net\s+stop)/, "Service Stop",
CommandLine = /(?i)sc\s+delete/, "Service Delete",
CommandLine = /(?i)sc\s+config/, "Service Reconfigure",
CommandLine = /(?i)(set-mppreference|add-mppreference)/, "Defender Policy Change",
CommandLine = /(?i)exclusion/, "Exclusion Added",
"Other")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, TargetTool, ActionType])
| sort(timestamp, order=desc)Detects security tool disable or modification activity in CrowdStrike Falcon LogScale (CQL) by filtering ProcessRollup2 events for service control, taskkill, and PowerShell Defender modification commands targeting known AV/EDR products across Windows endpoints (T1562.001).
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor upgrades or configuration changes pushed by the CrowdStrike console that involve service restarts on managed endpoints
- Third-party ITSM integrations that automate exclusion management via PowerShell as part of approved application onboarding workflows
- Enterprise software packaging tools that disable AV scanning temporarily during MSI installation to prevent false detection of installation artifacts
Other platforms for T1562.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Stop Windows Defender via sc.exe
Expected signal: Sysmon Event ID 1: sc.exe with CommandLine containing 'stop WinDefend'. System Event ID 7036: WinDefend service entered stopped state. System Event ID 7040: WinDefend start type changed to disabled.
- Test 2Add Defender Exclusion for C: Drive
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Add-MpPreference -ExclusionPath'. Sysmon Event ID 13: Registry value set under HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths. PowerShell ScriptBlock Log Event ID 4104. Defender Event ID 5007 (config changed).
- Test 3Kill Security Process with taskkill
Expected signal: Sysmon Event ID 1: taskkill.exe with CommandLine containing '/f /im MsMpEng.exe'. The kill will likely fail due to tamper protection, but the process creation event fires regardless.
- Test 4Disable Defender Real-Time Protection via Registry
Expected signal: Sysmon Event ID 1: reg.exe with CommandLine containing DisableRealtimeMonitoring. Sysmon Event ID 13: Registry value set. Defender Event ID 5001: Real-time protection disabled.
References (7)
- https://attack.mitre.org/techniques/T1562/001/
- https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/
- https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
- https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-ransomware-attacks-against-microsoft-defender/ba-p/1928947
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1562.001 including response playbook, investigation guide, and atomic red team tests.