Which SIEM platforms have a T1562 detection rule?

df00tech provides T1562 (Impair Defenses) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Impair Defenses (T1562)?

Detecting Impair Defenses requires the following data sources: Process: Process Creation, Command: Command Execution, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint.

What severity and confidence is the T1562 detection?

The T1562 detection is rated high severity with medium confidence.

What are common false positives for T1562?

Common false positives for T1562 include: IT administrators performing legitimate maintenance or reconfiguration of security tools during planned change windows; Endpoint management tools (SCCM, Intune, GPO) updating Defender exclusions or policies; Security tool upgrades that temporarily stop and restart services.

T1562 CrowdStrike LogScale · LogScale

Detect Impair Defenses in CrowdStrike LogScale

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1562 Impair Defenses
Canonical reference: https://attack.mitre.org/techniques/T1562/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| CommandLine = /(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|SecurityHealthService|EventLog|MpsSvc|WdNisSvc)/
  OR CommandLine = /(?i)(auditpol\s+\/(clear|set)|wevtutil\s+cl\s)/
  OR CommandLine = /(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)/
  OR CommandLine = /(?i)(bcdedit\s+\/set.{0,40}safeboot|netsh\s+advfirewall\s+set)/
  OR CommandLine = /(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)/
| eval action = case(
    CommandLine = /(?i)(sc\s+(stop|config)|net\s+stop|taskkill).{0,100}(WinDefend|Sense|MsMpSvc|SecurityHealth|EventLog|MpsSvc)/,
    "security_service_tampering",
    CommandLine = /(?i)(auditpol\s+\/(clear|set)|wevtutil\s+cl\s)/,
    "log_tampering",
    CommandLine = /(?i)(Set-MpPreference|DisableRealtimeMonitoring|DisableBehaviorMonitoring|Remove-MpPreference)/,
    "defender_modification",
    CommandLine = /(?i)(bcdedit\s+\/set.{0,40}safeboot|netsh\s+advfirewall\s+set)/,
    "boot_or_firewall_tampering",
    CommandLine = /(?i)taskkill.{0,60}(MsMpEng|NisSrv|SecurityHealth|MpCmdRun)/,
    "defender_process_kill",
    true(), "unknown_impair_defenses"
  )
| table(["@timestamp", "ComputerName", "UserName", "FileName", "CommandLine", "ParentBaseFileName", "action", "TargetProcessId", "ContextProcessId"])
| sort(field="@timestamp", order=desc)

high severity high confidence

Detects T1562 Impair Defenses using CrowdStrike Falcon ProcessRollup2 events. Matches command lines targeting Windows security service stop/config operations, Defender real-time monitoring disablement, audit log clearing via auditpol and wevtutil, boot configuration safeboot changes via bcdedit, firewall manipulation via netsh advfirewall, and direct process termination of Defender components. Classifies each match into specific impairment sub-categories.

Data Sources

CrowdStrike Falcon Endpoint ProtectionCrowdStrike Falcon Data Replicator

Required Tables

ProcessRollup2SyntheticProcessRollup2

False Positives & Tuning

IT administrators or endpoint management platforms (SCCM, Intune) running scripted maintenance tasks that stop and restart Windows security services during patch cycles
CrowdStrike Falcon sensor updates or configuration changes that transiently alter Defender coexistence settings or service states
Automated security baseline tools (CIS-CAT, SCAP scanners) that audit or modify audit policies and Windows Firewall settings as part of compliance assessments

Download portable Sigma rule (.yml)

Other platforms for T1562

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Stop Windows Defender Service
Expected signal: Sysmon Event ID 1: Process Create with CommandLine 'sc stop WinDefend'. System Event ID 7036: Windows Defender Antivirus Service entered the stopped state. Security Event ID 4688 if command line auditing enabled.
Test 2Clear Security Event Log
Expected signal: Security Event ID 1102: The audit log was cleared. Sysmon Event ID 1: Process Create with CommandLine 'wevtutil cl Security'.
Test 3Disable Audit Policy
Expected signal: Security Event ID 4719: System audit policy was changed. Sysmon Event ID 1: Process Create with CommandLine 'auditpol /clear /y'.

Last updated: 2026-04-21 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1562 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Sub-techniques (12)

Related Techniques

T1562.001Disable or Modify Tools T1562.002Disable Windows Event Logging T1562.004Disable or Modify System Firewall T1562.006Indicator Blocking T1562.009Safe Mode Boot T1070.001Clear Windows Event Logs T1112Modify Registry T1543.003Windows Service

Detect Impair Defenses in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1562

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (12)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1562

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (12)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox