T1562.001 Sumo Logic CSE · Sumo

Detect Disable or Modify Tools in Sumo Logic CSE

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain kernel access (BYOVD), abuse the Windows TTD monitor driver to debug and suspend EDR processes, or unhook userland DLLs to bypass security tool instrumentation.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.001 Disable or Modify Tools
Canonical reference
https://attack.mitre.org/techniques/T1562/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "EventID=*" as event_id nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "Image=*" as image nodrop
| parse "ParentImage=*" as parent_image nodrop
| parse "User=*" as user nodrop
| parse "Computer=*" as host nodrop
| where event_id in ("1", "4688")
| where (
    /* Service stop/delete/config against security services */
    (toLowerCase(image) matches "*sc.exe*" OR toLowerCase(image) matches "*net.exe*" OR toLowerCase(image) matches "*net1.exe*")
    AND (
      toLowerCase(command_line) matches "*(stop|delete|config)*"
      AND (toLowerCase(command_line) matches "*windefend*" OR toLowerCase(command_line) matches "*sense*"
           OR toLowerCase(command_line) matches "*msmpsvc*" OR toLowerCase(command_line) matches "*wdnissvc*"
           OR toLowerCase(command_line) matches "*securityhealth*" OR toLowerCase(command_line) matches "*crowdstrike*"
           OR toLowerCase(command_line) matches "*csfalcon*" OR toLowerCase(command_line) matches "*cylance*"
           OR toLowerCase(command_line) matches "*cbdefense*" OR toLowerCase(command_line) matches "*sentinelagent*"
           OR toLowerCase(command_line) matches "*taniumclient*")
    )
  ) OR (
    /* Taskkill targeting security processes */
    toLowerCase(image) matches "*taskkill.exe*"
    AND (
      toLowerCase(command_line) matches "*msmpeng*" OR toLowerCase(command_line) matches "*mssense*"
      OR toLowerCase(command_line) matches "*csfalcon*" OR toLowerCase(command_line) matches "*cylancesvc*"
      OR toLowerCase(command_line) matches "*cbdefense*" OR toLowerCase(command_line) matches "*sentinelagent*"
      OR toLowerCase(command_line) matches "*taniumclient*" OR toLowerCase(command_line) matches "*securityhealth*"
    )
  ) OR (
    /* PowerShell Defender modifications */
    (toLowerCase(image) matches "*powershell.exe*" OR toLowerCase(image) matches "*pwsh.exe*")
    AND (toLowerCase(command_line) matches "*set-mppreference*" OR toLowerCase(command_line) matches "*add-mppreference*")
    AND (toLowerCase(command_line) matches "*disable*" OR toLowerCase(command_line) matches "*exclusion*")
  ) OR (
    toLowerCase(command_line) matches "*disableantispyware*1*"
  )
| eval target_tool = if(toLowerCase(command_line) matches "*(windefend|msmpeng|mssense|sense|defender)*", "Windows Defender/MDE",
    if(toLowerCase(command_line) matches "*(crowdstrike|csfalcon)*", "CrowdStrike Falcon",
    if(toLowerCase(command_line) matches "*cylance*", "Cylance",
    if(toLowerCase(command_line) matches "*(carbon|cbdefense)*", "Carbon Black",
    if(toLowerCase(command_line) matches "*sentinel*", "SentinelOne",
    if(toLowerCase(command_line) matches "*tanium*", "Tanium", "Other/Unknown"))))))
| eval action_type = if(toLowerCase(command_line) matches "*taskkill*", "Process Kill",
    if(toLowerCase(command_line) matches "*(sc stop|net stop)*", "Service Stop",
    if(toLowerCase(command_line) matches "*sc delete*", "Service Delete",
    if(toLowerCase(command_line) matches "*sc config*", "Service Reconfigure",
    if(toLowerCase(command_line) matches "*mppreference*", "Defender Policy Change",
    if(toLowerCase(command_line) matches "*exclusion*", "Exclusion Added", "Other"))))))
| fields _messageTime, host, user, image, command_line, parent_image, target_tool, action_type
| sort by _messageTime desc
high severity high confidence

Detects security tool tampering via Sumo Logic by parsing Sysmon and Windows Security process creation events for service control operations, forced process termination, and PowerShell-based Defender policy changes targeting known AV/EDR products (T1562.001).

Data Sources

Sysmon for Windows (Event ID 1)Windows Security Event Log (Event ID 4688)Sumo Logic Windows Collection Agent

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

  • Security product migration projects where one AV/EDR vendor is being replaced with another, requiring legitimate service stop and uninstall operations
  • Automated patch management platforms that temporarily disable real-time scanning before applying OS patches to reduce false positives
  • Incident response tooling that adjusts Defender exclusions to allow forensic collection agents to run without interference
Download portable Sigma rule (.yml)

Other platforms for T1562.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender via sc.exe

    Expected signal: Sysmon Event ID 1: sc.exe with CommandLine containing 'stop WinDefend'. System Event ID 7036: WinDefend service entered stopped state. System Event ID 7040: WinDefend start type changed to disabled.

  2. Test 2Add Defender Exclusion for C: Drive

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Add-MpPreference -ExclusionPath'. Sysmon Event ID 13: Registry value set under HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths. PowerShell ScriptBlock Log Event ID 4104. Defender Event ID 5007 (config changed).

  3. Test 3Kill Security Process with taskkill

    Expected signal: Sysmon Event ID 1: taskkill.exe with CommandLine containing '/f /im MsMpEng.exe'. The kill will likely fail due to tamper protection, but the process creation event fires regardless.

  4. Test 4Disable Defender Real-Time Protection via Registry

    Expected signal: Sysmon Event ID 1: reg.exe with CommandLine containing DisableRealtimeMonitoring. Sysmon Event ID 13: Registry value set. Defender Event ID 5001: Real-time protection disabled.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1562.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.006Indicator BlockingT1562.002Disable Windows Event LoggingT1543.003Windows ServiceT1112Modify RegistryT1068Exploitation for Privilege EscalationT1564.012File/Path ExclusionsT1070.001Clear Windows Event Logs

Same Tactic: Defense Evasion

Popular Detections