title: Impair Defenses (T1562)
id: df00tech-t1562
status: experimental
description: "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process."
references:
  - https://attack.mitre.org/techniques/T1562/
  - https://df00tech.com/detections/T1562
author: df00tech
date: 2026/04/21
tags:
  - attack.t1562
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators performing legitimate maintenance or reconfiguration of security tools during planned change windows
  - "Endpoint management tools (SCCM, Intune, GPO) updating Defender exclusions or policies"
  - Security tool upgrades that temporarily stop and restart services
level: high