T1562.001 IBM QRadar · QRadar

Detect Disable or Modify Tools in IBM QRadar

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain kernel access (BYOVD), abuse the Windows TTD monitor driver to debug and suspend EDR processes, or unhook userland DLLs to bypass security tool instrumentation.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.001 Disable or Modify Tools
Canonical reference
https://attack.mitre.org/techniques/T1562/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "EventID",
  "CommandLine",
  "ParentImage",
  "Image",
  CASE
    WHEN LOWER("CommandLine") MATCHES '(windefend|msmpeng|mssense|sense|defender)' THEN 'Windows Defender/MDE'
    WHEN LOWER("CommandLine") MATCHES '(crowdstrike|csfalcon)' THEN 'CrowdStrike Falcon'
    WHEN LOWER("CommandLine") MATCHES 'cylance' THEN 'Cylance'
    WHEN LOWER("CommandLine") MATCHES '(carbon|cbdefense)' THEN 'Carbon Black'
    WHEN LOWER("CommandLine") MATCHES 'sentinel' THEN 'SentinelOne'
    WHEN LOWER("CommandLine") MATCHES 'tanium' THEN 'Tanium'
    ELSE 'Other/Unknown'
  END AS target_tool,
  CASE
    WHEN LOWER("CommandLine") MATCHES 'taskkill' THEN 'Process Kill'
    WHEN LOWER("CommandLine") MATCHES '(sc stop|net stop)' THEN 'Service Stop'
    WHEN LOWER("CommandLine") MATCHES 'sc delete' THEN 'Service Delete'
    WHEN LOWER("CommandLine") MATCHES 'sc config' THEN 'Service Reconfigure'
    WHEN LOWER("CommandLine") MATCHES 'mppreference' THEN 'Defender Policy Change'
    WHEN LOWER("CommandLine") MATCHES 'exclusion' THEN 'Exclusion Added'
    ELSE 'Other'
  END AS action_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND "EventID" IN (1, 4688)
  AND (
    /* Service operations against security tools */
    (
      LOWER("Image") MATCHES '(sc\.exe|net\.exe|net1\.exe)'
      AND LOWER("CommandLine") MATCHES '(stop|delete|config)'
      AND LOWER("CommandLine") MATCHES '(windefend|sense|msmpsvc|wdnissvc|securityhealth|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient)'
    ) OR
    /* Process kill targeting security tool executables */
    (
      LOWER("Image") MATCHES 'taskkill\.exe'
      AND LOWER("CommandLine") MATCHES '(msmpeng|mssense|csfalcon|cylancesvc|cbdefense|sentinelagent|taniumclient|securityhealth|sentinelservicehost)'
    ) OR
    /* PowerShell Defender policy modifications */
    (
      LOWER("Image") MATCHES '(powershell\.exe|pwsh\.exe)'
      AND LOWER("CommandLine") MATCHES '(set-mppreference|add-mppreference)'
      AND LOWER("CommandLine") MATCHES '(disable|exclusion)'
    ) OR
    /* Direct registry disable via reg.exe */
    (
      LOWER("CommandLine") MATCHES 'disableantispyware.*1'
    )
  )
  AND DATEFORMAT(starttime, 'YYYY-MM-dd') >= DATEADD('day', -1, CURRENT_DATE)
ORDER BY starttime DESC
LIMIT 500
high severity high confidence

Detects disable or modification of security tools on Windows systems using QRadar AQL by correlating Sysmon Event ID 1 and Windows Security Event ID 4688 process creation events for service control, taskkill, and PowerShell Defender modification commands targeting known AV/EDR products (T1562.001).

Data Sources

Microsoft Windows Security Event LogSysmon via Windows log sourceQRadar Windows DSM

Required Tables

events

False Positives & Tuning

  • Authorized IT change management activities such as AV product migrations or version upgrades initiated from known administrative hosts
  • Vulnerability management or compliance scanning tools that enumerate or modify security configurations as part of authorized assessments
  • Group Policy or MDM-based security configuration management that adjusts Defender exclusions for application compatibility
Download portable Sigma rule (.yml)

Other platforms for T1562.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender via sc.exe

    Expected signal: Sysmon Event ID 1: sc.exe with CommandLine containing 'stop WinDefend'. System Event ID 7036: WinDefend service entered stopped state. System Event ID 7040: WinDefend start type changed to disabled.

  2. Test 2Add Defender Exclusion for C: Drive

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Add-MpPreference -ExclusionPath'. Sysmon Event ID 13: Registry value set under HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths. PowerShell ScriptBlock Log Event ID 4104. Defender Event ID 5007 (config changed).

  3. Test 3Kill Security Process with taskkill

    Expected signal: Sysmon Event ID 1: taskkill.exe with CommandLine containing '/f /im MsMpEng.exe'. The kill will likely fail due to tamper protection, but the process creation event fires regardless.

  4. Test 4Disable Defender Real-Time Protection via Registry

    Expected signal: Sysmon Event ID 1: reg.exe with CommandLine containing DisableRealtimeMonitoring. Sysmon Event ID 13: Registry value set. Defender Event ID 5001: Real-time protection disabled.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.006Indicator BlockingT1562.002Disable Windows Event LoggingT1543.003Windows ServiceT1112Modify RegistryT1068Exploitation for Privilege EscalationT1564.012File/Path ExclusionsT1070.001Clear Windows Event Logs

Same Tactic: Defense Evasion

Popular Detections