title: Disable or Modify Tools (T1562.001)
id: df00tech-t1562-001
status: experimental
description: "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying/deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems. Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain kernel access (BYOVD), abuse the Windows TTD monitor driver to debug and suspend EDR processes, or unhook userland DLLs to bypass security tool instrumentation."
references:
  - https://attack.mitre.org/techniques/T1562/001/
  - https://df00tech.com/detections/T1562.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1562.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators performing planned security tool maintenance, upgrades, or migrations with corresponding change tickets"
  - "Endpoint management tools (SCCM, Intune) deploying Defender exclusion policies for legitimate applications"
  - Security tool uninstallation during agent version upgrades or vendor transitions
  - Automated remediation scripts that restart security services after patching
level: critical