T1562 Google Chronicle · YARA-L

Detect Impair Defenses in Google Chronicle

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Canonical reference
https://attack.mitre.org/techniques/T1562/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1562_impair_defenses {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562 Impair Defenses - adversaries modifying or disabling security tools, audit logging, and defensive mechanisms"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|WdNisSvc)`)
        or re.regex($e.target.process.command_line, `(?i)(auditpol\s+/(clear|set)|wevtutil\s+cl\s)`)
        or re.regex($e.target.process.command_line, `(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)`)
        or re.regex($e.target.process.command_line, `(?i)(bcdedit\s+/set.{0,40}safeboot|netsh\s+advfirewall\s+set)`)
        or re.regex($e.target.process.command_line, `(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)`)
      )
    )
    or
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      and (
        re.regex($e.target.registry.registry_key, `(?i).*(WinDefend|EventLog|SecurityHealth|MpsSvc|MsMpSvc).*`)
      )
    )
    or
    (
      $e.metadata.event_type = "USER_RESOURCE_ACCESS"
      and $e.metadata.product_event_type = "1102"
    )
    or
    (
      $e.metadata.event_type = "AUDIT_LOG_UPDATED"
      and $e.metadata.product_event_type = "4719"
    )

  condition:
    $e
}
high severity high confidence

YARA-L 2.0 rule detecting T1562 Impair Defenses via process launch events matching security service stop commands, Defender modification commands, audit log tampering, and firewall manipulation. Also triggers on registry modifications to security service keys and Windows audit log cleared/policy changed events (EID 1102, 4719). Uses UDM process and registry event types.

Data Sources

Google Chronicle UDMWindows Event Forwarding to ChronicleEndpoint Detection (EDR)

Required Tables

UDM Events (process_launch, registry_modification, audit_log_updated, user_resource_access)

False Positives & Tuning

  • Authorized enterprise security tooling updates performed by security vendors that temporarily disable Defender components or modify audit policies
  • System administrators running scripted hardening or compliance baseline tools that configure audit policies and firewall rules
  • Cloud provisioning automation (Terraform, Ansible) that configures Windows Firewall rules or disables services before applying custom security configurations
Download portable Sigma rule (.yml)

Other platforms for T1562

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender Service

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine 'sc stop WinDefend'. System Event ID 7036: Windows Defender Antivirus Service entered the stopped state. Security Event ID 4688 if command line auditing enabled.

  2. Test 2Clear Security Event Log

    Expected signal: Security Event ID 1102: The audit log was cleared. Sysmon Event ID 1: Process Create with CommandLine 'wevtutil cl Security'.

  3. Test 3Disable Audit Policy

    Expected signal: Security Event ID 4719: System audit policy was changed. Sysmon Event ID 1: Process Create with CommandLine 'auditpol /clear /y'.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (12)

Related Techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.009Safe Mode BootT1070.001Clear Windows Event LogsT1112Modify RegistryT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections