Detecting EDR Tampering: KQL and SPL Queries for T1562.001

Before ransomware drops, the AV has to go. Conti, Akira, BlackCat, Play, Black Basta — every serious ransomware family ships with a kill list for security tools. Stop WinDefend. Kill MsMpEng. Run Add-MpPreference -ExclusionPath C:\. Then deploy.

The reason isn’t fear of detection during encryption. It’s operational efficiency. A running EDR will kill the ransomware process after a few hundred files. With the EDR down, encryption runs uninterrupted for minutes — and minutes at modern ransomware speeds means tens of thousands of files. MITRE T1562.001 — Disable or Modify Tools appears in nearly every ransomware incident report published in the last three years. It’s also one of the most actionable detections you can build: unlike encryption itself, which fires after the damage is done, tool tampering fires while you still have response options.

This post walks through the five attack vectors, provides production-ready KQL and SPL queries from the df00tech detection library, and covers what to hunt for beyond the obvious.

The Five Attack Vectors

Attackers disable security tools via five methods, roughly in order of sophistication:

Service stop/delete — sc stop WinDefend or net stop WinDefend. Used by Ryuk, REvil, Conti. Requires admin. Leaves loud telemetry.
Process kill — taskkill /f /im MsMpEng.exe. Simpler, often fails against tamper-protected agents, but the attempt still fires events.
PowerShell Defender cmdlets — Set-MpPreference -DisableRealtimeMonitoring $true or Add-MpPreference -ExclusionPath 'C:\'. Used by WhisperGate, XLoader, FIN13. The exclusion variant is especially dangerous because it blinds Defender without stopping it — no service state change to alert on.
Direct registry modification — reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1. Bypasses PowerShell logging by avoiding cmdlets entirely.
BYOVD (Bring Your Own Vulnerable Driver) — loading a legitimately signed but vulnerable kernel driver to terminate protected EDR processes from ring 0. The advanced technique; see the BYOVD section below.

Production KQL Detection (Microsoft Sentinel / MDE)

This is the primary T1562.001 detection query, covering vectors 1–3 in a single rule against DeviceProcessEvents:

let SecurityProcesses = dynamic([
  "MsMpEng.exe", "MsSense.exe", "SenseCncProxy.exe", "SenseIR.exe",
  "csfalconservice.exe", "csfalconcontainer.exe", "CylanceSvc.exe",
  "cb.exe", "CbDefense.exe", "SentinelAgent.exe", "SentinelServiceHost.exe",
  "taniumclient.exe", "SecurityHealthService.exe"
]);
let SecurityServices = dynamic([
  "WinDefend", "Sense", "MsMpSvc", "WdNisSvc", "SecurityHealthService",
  "wscsvc", "CrowdStrike", "CylanceSvc", "CbDefense", "SentinelAgent"
]);
let SuspiciousActions = dynamic([
  "sc stop", "sc delete", "sc config", "net stop", "taskkill /f /im",
  "Set-MpPreference -DisableRealtimeMonitoring", "Set-MpPreference -DisableBehaviorMonitoring",
  "Set-MpPreference -DisableIOAVProtection", "Set-MpPreference -DisableScriptScanning",
  "Add-MpPreference -ExclusionPath", "Add-MpPreference -ExclusionProcess",
  "Set-MpPreference -DisableBlockAtFirstSeen", "DisableAntiSpyware"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SuspiciousActions)
   or (FileName =~ "taskkill.exe" and ProcessCommandLine has_any (SecurityProcesses))
   or (FileName in~ ("sc.exe", "net.exe", "net1.exe") and ProcessCommandLine has_any (SecurityServices))
| extend TargetTool = case(
    ProcessCommandLine has_any ("WinDefend", "MsMpEng", "MsSense", "Sense", "Defender"), "Windows Defender/MDE",
    ProcessCommandLine has_any ("CrowdStrike", "csfalcon"), "CrowdStrike Falcon",
    ProcessCommandLine has_any ("Cylance"), "Cylance",
    ProcessCommandLine has_any ("Carbon", "CbDefense", "cb.exe"), "Carbon Black",
    ProcessCommandLine has_any ("Sentinel"), "SentinelOne",
    ProcessCommandLine has_any ("Tanium", "taniumclient"), "Tanium",
    ProcessCommandLine has_any ("ExclusionPath", "ExclusionProcess"), "Defender Exclusion",
    "Other/Unknown")
| extend ActionType2 = case(
    ProcessCommandLine has "taskkill", "Process Kill",
    ProcessCommandLine has "sc stop" or ProcessCommandLine has "net stop", "Service Stop",
    ProcessCommandLine has "sc delete", "Service Delete",
    ProcessCommandLine has "sc config", "Service Reconfigure",
    ProcessCommandLine has "MpPreference", "Defender Policy Change",
    ProcessCommandLine has "Exclusion", "Exclusion Added",
    "Other")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, TargetTool, ActionType2
| sort by Timestamp desc

The TargetTool and ActionType2 computed fields are the analyst payoff: they let you pivot immediately to “who killed what and how” without parsing raw command lines in triage.

Key false positive sources. SCCM (CcmExec.exe) and Intune management extension are the most common legitimate parents. Build an allowlist by exact parent process + account combination — never exclude by command pattern alone. A Defender exclusion addition from Intune as SYSTEM via MicrosoftIntune.exe is expected; the same command spawned by powershell.exe under a user account at 3am is not.

Splunk SPL Equivalent

For Splunk deployments using Sysmon Event ID 1, the T1562.001 SPL query uses a suspicion scoring model that assigns integer weights per indicator type:

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval ServiceKill=if(match(CommandLine,
    "(sc\s+(stop|delete|config)|net\s+stop|net1\s+stop).*(windefend|sense|msmpsvc|wdnissvc|securityhealth|crowdstrike|csfalcon|cylance|cbdefense|sentinelagent|taniumclient)"), 1, 0)
| eval ProcessKill=if(match(CommandLine,
    "taskkill.*(msmpeng|mssense|csfalcon|cylancesvc|cbdefense|sentinelagent|taniumclient|securityhealth)"), 1, 0)
| eval DefenderModify=if(match(CommandLine,
    "(set-mppreference|add-mppreference).*(disable|exclusion)"), 1, 0)
| eval AntiSpyware=if(match(CommandLine, "disableantispyware.*1"), 1, 0)
| eval SuspicionScore=ServiceKill + ProcessKill + DefenderModify + AntiSpyware
| where SuspicionScore > 0
| eval TargetTool=case(
    match(CommandLine, "(windefend|msmpeng|mssense|sense|defender)"), "Windows Defender/MDE",
    match(CommandLine, "(crowdstrike|csfalcon)"), "CrowdStrike Falcon",
    match(CommandLine, "cylance"), "Cylance",
    match(CommandLine, "(carbon|cbdefense)"), "Carbon Black",
    match(CommandLine, "sentinel"), "SentinelOne",
    match(CommandLine, "tanium"), "Tanium",
    true(), "Other/Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        TargetTool, ServiceKill, ProcessKill, DefenderModify, AntiSpyware, SuspicionScore
| sort - _time

SuspicionScore directly drives alert priority. Score 1 is a single technique — investigate. Score 2+ means multiple methods were used on the same host in the same event chain, which is almost always an operator running a kill script.

Hunting: Defender Exclusion Additions

The exclusion technique is particularly dangerous because it generates no service state change event. Defenders often miss it. The registry-level hunt from the T1562.001 hunting queries:

DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has "Windows Defender\\Exclusions"
| where ActionType == "RegistryValueSet"
| project Timestamp, DeviceName, AccountName, RegistryKey,
          RegistryValueName, RegistryValueData,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

The signal to investigate: RegistryValueData containing C:\, C:\Users\, or any broad path covering entire drives. Legitimate exclusions are typically specific application directories managed via GPO — local registry writes to this key from interactive sessions are almost always malicious. APT groups WhisperGate, XLoader, and FIN13 have all used this exact path.

Hunting: PowerShell Disable-* Cmdlet Patterns

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "Set-MpPreference" or ProcessCommandLine has "Add-MpPreference"
| where ProcessCommandLine has_any ("Disable", "Exclusion", "$true")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc

Legitimate changes via Intune or SCCM produce these events but always with MicrosoftIntune.exe, CcmExec.exe, or gpscript.exe as the initiating process. Filter those out and you have near-zero false positives.

BYOVD: The Ring-0 Bypass {#byovd-the-ring-0-bypass}

Bring Your Own Vulnerable Driver (BYOVD) attacks load a legitimately Microsoft-signed but exploitable kernel driver — gdrv.sys (GIGABYTE), dbutil_2_3.sys (Dell), mhyprot2.sys (miHoYo’s anti-cheat) — and use the driver’s kernel-mode access to terminate EDR processes from ring 0, bypassing tamper protection entirely.

Detection requires Sysmon Event ID 6 (driver loaded). Hunt for:

Known-vulnerable driver hashes against blocklist (Microsoft WDAC Vulnerable Driver Blocklist)
Drivers loaded outside C:\Windows\System32\drivers\ or C:\Program Files\
Driver loads immediately preceding security tool process exits

The T1562.001 evidence collection guidance covers the specific Sysmon EIDs and registry paths to examine when BYOVD is suspected. For an attacker-perspective walkthrough of the LOLBin techniques used in pre-BYOVD staging, see Detecting Living-Off-the-Land Attacks.

Multi-Host Correlation: When One Alert Becomes a Campaign

A single T1562.001 alert is serious. Five on five different hosts within 20 minutes is a ransomware operator running an automated deployment script across the domain. The difference matters for response: single host is a containment problem; multi-host is a war room problem.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("sc stop", "sc delete", "net stop", "taskkill /f /im", "Set-MpPreference")
| where ProcessCommandLine has_any ("WinDefend", "Sense", "MsMpEng", "CrowdStrike", "Cylance", "CbDefense", "SentinelAgent")
| summarize Count=count(), Devices=dcount(DeviceName), Earliest=min(Timestamp), Latest=max(Timestamp)
    by AccountName, ProcessCommandLine, InitiatingProcessFileName
| where Devices > 2
| sort by Devices desc

Any result with Devices > 2 from the same account within a short window is an immediate P1. Before containment, identify whether the account is a domain admin or a service account — domain admin means the attacker already has the keys to everything. Correlate with credential dumping detections (T1003) on the same or adjacent hosts within the preceding 60 minutes.

The Kill Chain Context

T1562.001 almost never fires in isolation. The standard sequence is: credential theft → lateral movement → security tool kill → recovery sabotage (T1490) → encryption (T1486). By the time you see the tool kill, the attacker has had domain admin for at least hours.

The kill is also frequently accompanied by:

T1562.002 — Disable Windows Event Logging: wevtutil cl Security, wevtutil cl System. The attacker clearing their footprints after disabling Defender.
T1562.006 — Indicator Blocking (ETW/AMSI): Patching AMSI in memory or disabling ETW providers to prevent script-level detection. Used when the attacker wants to run obfuscated PowerShell without Defender’s AMSI scanner catching it.

For the full pre-detonation kill chain including shadow copy deletion and backup service stops, see Ransomware Detection: TTPs, Indicators, and KQL Queries for 2026.

Browse the Library

The df00tech detection library covers the full T1562 family — tool disablement, event log clearing, ETW/AMSI tampering, cloud firewall modification, and more — along with every other MITRE ATT&CK technique in the enterprise matrix. Each detection includes KQL, SPL, Elastic EQL, QRadar AQL, Sumo Logic, Chronicle YARA-L, and CrowdStrike CQL queries, plus IR playbooks and atomic red team tests to validate your coverage.