T1562 Microsoft Sentinel · KQL

Detect Impair Defenses in Microsoft Sentinel

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Canonical reference
https://attack.mitre.org/techniques/T1562/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SecurityServiceNames = dynamic(["WinDefend", "MsMpSvc", "Sense", "WdNisSvc", "WdNisDrv", "WdFilter", "WdBoot", "SecurityHealthService", "wscsvc", "EventLog", "MpsSvc"]);
let SuspiciousCommands = dynamic(["sc stop", "sc config", "net stop", "taskkill", "Set-MpPreference", "DisableRealtimeMonitoring", "DisableBehaviorMonitoring", "Remove-MpPreference", "auditpol /clear", "auditpol /set", "wevtutil cl", "bcdedit /set", "netsh advfirewall set"]);
union DeviceProcessEvents, DeviceRegistryEvents
| where Timestamp > ago(24h)
| extend CommandLine = coalesce(ProcessCommandLine, "")
| where CommandLine has_any (SuspiciousCommands)
   or (ActionType == "RegistryValueSet" and RegistryKey has_any ("WinDefend", "EventLog", "SecurityHealth", "MpsSvc"))
| extend StoppedService = extract(@"(?:sc\s+(?:stop|config)|net\s+stop)\s+([\w]+)", 1, CommandLine)
| extend IsSecurityService = StoppedService in (SecurityServiceNames)
| project Timestamp, DeviceName, AccountName, ActionType, CommandLine, RegistryKey, RegistryValueName, RegistryValueData, StoppedService, IsSecurityService
| sort by Timestamp desc
high severity medium confidence

Broad detection for defense impairment activities across Windows endpoints. Monitors for security service stopping, firewall modifications, event log clearing, audit policy changes, safe mode boot changes, and Defender preference modifications. Combines process creation and registry events for comprehensive coverage.

Data Sources

Process: Process CreationCommand: Command ExecutionWindows Registry: Windows Registry Key ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • IT administrators performing legitimate maintenance or reconfiguration of security tools during planned change windows
  • Endpoint management tools (SCCM, Intune, GPO) updating Defender exclusions or policies
  • Security tool upgrades that temporarily stop and restart services
Download portable Sigma rule (.yml)

Other platforms for T1562

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Stop Windows Defender Service

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine 'sc stop WinDefend'. System Event ID 7036: Windows Defender Antivirus Service entered the stopped state. Security Event ID 4688 if command line auditing enabled.

  2. Test 2Clear Security Event Log

    Expected signal: Security Event ID 1102: The audit log was cleared. Sysmon Event ID 1: Process Create with CommandLine 'wevtutil cl Security'.

  3. Test 3Disable Audit Policy

    Expected signal: Security Event ID 4719: System audit policy was changed. Sysmon Event ID 1: Process Create with CommandLine 'auditpol /clear /y'.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (12)

Related Techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.009Safe Mode BootT1070.001Clear Windows Event LogsT1112Modify RegistryT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections