T1562.001 Splunk · SPL

Detect Disable or Modify Tools in Splunk

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain kernel access (BYOVD), abuse the Windows TTD monitor driver to debug and suspend EDR processes, or unhook userland DLLs to bypass security tool instrumentation.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.001 Disable or Modify Tools
Canonical reference
https://attack.mitre.org/techniques/T1562/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval ServiceKill=if(match(CommandLine, "(sc\s+(stop|delete|config)|net\s+stop|net1\s+stop).*(windefend|sense|msmpsvc|wdnissvc|securityhealth|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient)"), 1, 0)
| eval ProcessKill=if(match(CommandLine, "taskkill.*(msmpeng|mssense|csfalcon|cylancesvc|cbdefense|sentinelagent|taniumclient|securityhealth)"), 1, 0)
| eval DefenderModify=if(match(CommandLine, "(set-mppreference|add-mppreference).*(disable|exclusion)"), 1, 0)
| eval AntiSpyware=if(match(CommandLine, "disableantispyware.*1"), 1, 0)
| eval SuspicionScore=ServiceKill + ProcessKill + DefenderModify + AntiSpyware
| where SuspicionScore > 0
| eval TargetTool=case(
    match(CommandLine, "(windefend|msmpeng|mssense|sense|defender)"), "Windows Defender/MDE",
    match(CommandLine, "(crowdstrike|csfalcon)"), "CrowdStrike Falcon",
    match(CommandLine, "cylance"), "Cylance",
    match(CommandLine, "(carbon|cbdefense)"), "Carbon Black",
    match(CommandLine, "sentinel"), "SentinelOne",
    match(CommandLine, "tanium"), "Tanium",
    true(), "Other/Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetTool, ServiceKill, ProcessKill, DefenderModify, AntiSpyware, SuspicionScore
| sort - _time
critical severity high confidence

Detects security tool tampering using Sysmon process creation events. Identifies service stopping/deletion, process killing, Defender preference modifications, and anti-spyware registry disablement. Assigns a suspicion score and identifies the targeted security product.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • IT administrators performing planned security tool maintenance, upgrades, or migrations with corresponding change tickets
  • Endpoint management tools (SCCM, Intune) deploying Defender exclusion policies for legitimate applications
  • Security tool uninstallation during agent version upgrades or vendor transitions
  • Automated remediation scripts that restart security services after patching
Download portable Sigma rule (.yml)

Other platforms for T1562.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender via sc.exe

    Expected signal: Sysmon Event ID 1: sc.exe with CommandLine containing 'stop WinDefend'. System Event ID 7036: WinDefend service entered stopped state. System Event ID 7040: WinDefend start type changed to disabled.

  2. Test 2Add Defender Exclusion for C: Drive

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Add-MpPreference -ExclusionPath'. Sysmon Event ID 13: Registry value set under HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths. PowerShell ScriptBlock Log Event ID 4104. Defender Event ID 5007 (config changed).

  3. Test 3Kill Security Process with taskkill

    Expected signal: Sysmon Event ID 1: taskkill.exe with CommandLine containing '/f /im MsMpEng.exe'. The kill will likely fail due to tamper protection, but the process creation event fires regardless.

  4. Test 4Disable Defender Real-Time Protection via Registry

    Expected signal: Sysmon Event ID 1: reg.exe with CommandLine containing DisableRealtimeMonitoring. Sysmon Event ID 13: Registry value set. Defender Event ID 5001: Real-time protection disabled.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.006Indicator BlockingT1562.002Disable Windows Event LoggingT1543.003Windows ServiceT1112Modify RegistryT1068Exploitation for Privilege EscalationT1564.012File/Path ExclusionsT1070.001Clear Windows Event Logs

Same Tactic: Defense Evasion

Popular Detections