EXPLORE
Sign In
← Back to Explore
T1562

Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to...

WindowsIaaSLinuxmacOSContainersNetwork DevicesIdentity ProviderOffice SuiteESXi
180
Detections
3
Sources
2
Threat Actors

BY SOURCE

137elastic25sigma18splunk_escu

PROCEDURES (91)

General Monitoring18 detections

Auto-extracted: 18 detections for general monitoring

Api7 detections

Auto-extracted: 7 detections for api

Network Connection Monitoring7 detections

Auto-extracted: 7 detections for network connection monitoring

Cloud6 detections

Auto-extracted: 6 detections for cloud

Kernel4 detections

Auto-extracted: 4 detections for kernel

Authentication Monitoring4 detections

Auto-extracted: 4 detections for authentication monitoring

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Cloud Monitoring4 detections

Auto-extracted: 4 detections for cloud monitoring

C23 detections

Auto-extracted: 3 detections for c2

Scheduled Task3 detections

Auto-extracted: 3 detections for scheduled task

Unusual3 detections

Auto-extracted: 3 detections for unusual

Phish3 detections

Auto-extracted: 3 detections for phish

Evasion3 detections

Auto-extracted: 3 detections for evasion

Registry Monitoring3 detections

Auto-extracted: 3 detections for registry monitoring

Service3 detections

Auto-extracted: 3 detections for service

Encrypt3 detections

Auto-extracted: 3 detections for encrypt

Powershell3 detections

Auto-extracted: 3 detections for powershell

Persist3 detections

Auto-extracted: 3 detections for persist

Dns3 detections

Auto-extracted: 3 detections for dns

Azure3 detections

Auto-extracted: 3 detections for azure

Registry3 detections

Auto-extracted: 3 detections for registry

Clear Log2 detections

Auto-extracted: 2 detections for clear log

Aws2 detections

Auto-extracted: 2 detections for aws

Service2 detections

Auto-extracted: 2 detections for service

Container2 detections

Auto-extracted: 2 detections for container

Privilege2 detections

Auto-extracted: 2 detections for privilege

Service2 detections

Auto-extracted: 2 detections for service

Service2 detections

Auto-extracted: 2 detections for service

Event Log2 detections

Auto-extracted: 2 detections for event log

Oauth2 detections

Auto-extracted: 2 detections for oauth

Azure2 detections

Auto-extracted: 2 detections for azure

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Driver2 detections

Auto-extracted: 2 detections for driver

Cloud2 detections

Auto-extracted: 2 detections for cloud

Download2 detections

Auto-extracted: 2 detections for download

Remote2 detections

Auto-extracted: 2 detections for remote

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Bypass1 detections

Auto-extracted: 1 detections for bypass

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

C21 detections

Auto-extracted: 1 detections for c2

Credential1 detections

Auto-extracted: 1 detections for credential

Persist1 detections

Auto-extracted: 1 detections for persist

Service Monitoring1 detections

Auto-extracted: 1 detections for service monitoring

Powershell1 detections

Auto-extracted: 1 detections for powershell

Bypass1 detections

Auto-extracted: 1 detections for bypass

Attachment1 detections

Auto-extracted: 1 detections for attachment

Powershell1 detections

Auto-extracted: 1 detections for powershell

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Lateral1 detections

Auto-extracted: 1 detections for lateral

Credential1 detections

Auto-extracted: 1 detections for credential

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Email1 detections

Auto-extracted: 1 detections for email

Inject1 detections

Auto-extracted: 1 detections for inject

Registry1 detections

Auto-extracted: 1 detections for registry

Service1 detections

Auto-extracted: 1 detections for service

Email1 detections

Auto-extracted: 1 detections for email

Attachment1 detections

Auto-extracted: 1 detections for attachment

Bypass1 detections

Auto-extracted: 1 detections for bypass

Tamper1 detections

Auto-extracted: 1 detections for tamper

Amsi1 detections

Auto-extracted: 1 detections for amsi

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Amsi1 detections

Auto-extracted: 1 detections for amsi

Driver1 detections

Auto-extracted: 1 detections for driver

Http1 detections

Auto-extracted: 1 detections for http

Privilege1 detections

Auto-extracted: 1 detections for privilege

Bypass1 detections

Auto-extracted: 1 detections for bypass

Azure1 detections

Auto-extracted: 1 detections for azure

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Tamper1 detections

Auto-extracted: 1 detections for tamper

Script Block1 detections

Auto-extracted: 1 detections for script block

Powershell1 detections

Auto-extracted: 1 detections for powershell

Remote1 detections

Auto-extracted: 1 detections for remote

Lateral1 detections

Auto-extracted: 1 detections for lateral

Amsi1 detections

Auto-extracted: 1 detections for amsi

Kernel1 detections

Auto-extracted: 1 detections for kernel

Tamper1 detections

Auto-extracted: 1 detections for tamper

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Evasion1 detections

Auto-extracted: 1 detections for evasion

Script Block1 detections

Auto-extracted: 1 detections for script block

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Evasion1 detections

Auto-extracted: 1 detections for evasion

THREAT ACTORS (2)

BlackByteMagic Hound

DETECTIONS (180)

AppArmor Policy Interface Access
elasticlow
AppArmor Policy Violation Detected
elasticlow
AppArmor Profile Compilation via apparmor_parser
elasticlow
Application Removed from Blocklist in Google Workspace
elasticmedium
Attempt to Clear Kernel Ring Buffer
elastichigh
Attempt to Clear Logs via Journalctl
elasticmedium
Attempt to Deactivate an Okta Network Zone
elasticmedium
Attempt to Deactivate an Okta Policy
elasticlow
Attempt to Deactivate an Okta Policy Rule
elasticmedium
Attempt to Delete an Okta Network Zone
elasticmedium
Attempt to Delete an Okta Policy
elasticmedium
Attempt to Delete an Okta Policy Rule
elasticlow
Attempt to Disable Auditd Service
elasticmedium
Attempt to Disable IPTables or Firewall
elasticmedium
Attempt to Disable Syslog Service
elasticmedium
Attempt to Modify an Okta Network Zone
elasticmedium
Attempt to Modify an Okta Policy
elasticlow
Attempt to Modify an Okta Policy Rule
elasticlow
Attempt to Unload Elastic Endpoint Security Kernel Extension
elastichigh
AWS CloudTrail Log Created
elasticlow
AWS CloudTrail Log Deleted
elasticmedium
AWS CloudTrail Log Evasion
elasticmedium
AWS CloudTrail Log Suspended
elasticmedium
AWS CloudTrail Log Updated
elasticlow
AWS CloudWatch Alarm Deletion
elasticmedium
AWS CloudWatch Log Group Deletion
elasticmedium
AWS CloudWatch Log Stream Deletion
elasticmedium
AWS Config Resource Deletion
elasticmedium
AWS Configuration Recorder Stopped
elastichigh
AWS EC2 Network Access Control List Creation
elasticlow
AWS EC2 Network Access Control List Deletion
elasticmedium
AWS EC2 Security Group Configuration Change
elasticlow
AWS EC2 Serial Console Access Enabled
elastichigh
AWS EventBridge Rule Disabled or Deleted
elasticlow
AWS GuardDuty Detector Deletion
elastichigh
AWS GuardDuty Member Account Manipulation
elasticmedium
AWS Route 53 Domain Transfer Lock Disabled
elastichigh
AWS Route 53 Resolver Query Log Configuration Deleted
elasticmedium
AWS S3 Bucket Configuration Deletion
elasticlow
AWS S3 Bucket Expiration Lifecycle Configuration Added
elasticlow
AWS S3 Bucket Server Access Logging Disabled
elasticmedium
AWS SecurityHub Findings Evasion
sigmahigh
AWS SQS Queue Purge
elasticmedium
AWS VPC Flow Logs Deletion
elastichigh
AWS WAF Access Control List Deletion
elasticmedium
AWS WAF Rule or Rule Group Deletion
elasticmedium
Azure AD Block User Consent For Risky Apps Disabled
splunk_escu
Azure Diagnostic Settings Alert Suppression Rule Created or Modified
elasticlow
Azure Diagnostic Settings Deleted
elasticmedium
Azure Event Hub Deleted
elasticmedium
Azure Kubernetes Events Deleted
sigmamedium
Azure Kubernetes Services (AKS) Kubernetes Events Deleted
elasticmedium
Azure Resource Group Deleted
elasticmedium
Azure VNet Firewall Front Door WAF Policy Deleted
elasticlow
Azure VNet Firewall Policy Deleted
elasticlow
Azure VNet Network Watcher Deleted
elasticmedium
BPF filter applied using TC
elastichigh
BPF Program Tampering via bpftool
elasticmedium
Cisco ASA - Core Syslog Message Volume Drop
splunk_escu
Cisco ASA - Logging Disabled via CLI
splunk_escu
Cisco ASA - Logging Filters Configuration Tampering
splunk_escu
Clearing Windows Event Logs
elasticlow
Decline in host-based traffic
elasticlow
Deprecated - M365 Exchange DLP Policy Deleted
elasticmedium
Deprecated - M365 Teams External Access Enabled
elasticmedium
Disable Windows Event and Security Logs Using Built-in Tools
elasticlow
Disable Windows Firewall Rules via Netsh
elasticmedium
Disabling Lsa Protection via Registry Modification
elastichigh
Disabling User Account Control via Registry Modification
elasticmedium
Disabling Windows Defender Security Settings via PowerShell
elasticmedium
DNS Global Query Block List Modified or Disabled
elasticmedium
DNS-over-HTTPS Enabled via Registry
elasticlow
Domain Added to Google Workspace Trusted Domains
elastichigh
Elastic Agent Service Terminated
elasticmedium
Elastic Defend Alert Followed by Telemetry Loss
elastichigh
Enable Host Network Discovery via Netsh
elasticmedium
ESXi Encryption Settings Modified
splunk_escu
ESXi Lockdown Mode Disabled
splunk_escu
ESXi Loghost Config Tampering
splunk_escu
ESXi VIB Acceptance Level Tampering
splunk_escu
ETW Logging Disabled For rpcrt4.dll
sigmalow
ETW Logging Disabled For SCM
sigmalow
ETW Logging Disabled In .NET Processes - Registry
sigmahigh
ETW Logging Disabled In .NET Processes - Sysmon Registry
sigmahigh
ETW Logging Tamper In .NET Processes Via CommandLine
sigmahigh
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
FortiGate - Firewall Address Object Added
sigmamedium
FortiGate - New Firewall Policy Added
sigmamedium
FortiGate Overly Permissive Firewall Policy Created
elastichigh
Gatekeeper Override and Execution
elastichigh
GCP Firewall Rule Creation
elasticlow
GCP Firewall Rule Deletion
elasticmedium
GCP Firewall Rule Modification
elasticmedium
GCP Logging Bucket Deletion
elasticmedium
GCP Logging Sink Deletion
elasticmedium
GCP Logging Sink Modification
elasticlow
GCP Pub/Sub Subscription Deletion
elasticlow
GCP Pub/Sub Topic Deletion
elasticlow
GCP Virtual Private Cloud Network Deletion
elasticmedium
GCP Virtual Private Cloud Route Creation
elasticlow
GCP Virtual Private Cloud Route Deletion
elasticmedium
GitHub App Deleted
elasticlow
GitHub Protected Branch Settings Changed
elasticmedium
GitHub Secret Scanning Disabled
elasticlow
Google Cloud Firewall Modified or Deleted
sigmamedium
Google Workspace Bitlocker Setting Disabled
elasticmedium
Google Workspace Restrictions for Marketplace Modified to Allow Any App
elasticmedium
HackTool - EDRSilencer Execution
sigmahigh
HackTool - EDRSilencer Execution - Filter Added
sigmahigh
Hide Schedule Task Via Index Value Tamper
sigmahigh
High Number of Process and/or Service Terminations
elasticmedium
High Number of Process Terminations
elasticmedium
IIS HTTP Logging Disabled
elastichigh
Insecure AWS EC2 VPC Security Group Ingress Rule Added
elasticmedium
Kerberos Pre-authentication Disabled for User
elasticmedium
Kernel Module Removal
elasticlow
Kill Command Execution
elasticlow
Local Account TokenFilter Policy Disabled
elasticmedium
M365 Copilot Agentic Jailbreak Attack
splunk_escu
M365 Copilot Impersonation Jailbreak Attack
splunk_escu
M365 Copilot Information Extraction Jailbreak Attack
splunk_escu
M365 Copilot Non Compliant Devices Accessing M365 Copilot
splunk_escu
M365 Exchange Anti-Phish Policy Deleted
elasticmedium
M365 Exchange Anti-Phish Rule Modification
elasticmedium
M365 Exchange DKIM Signing Configuration Disabled
elasticmedium
M365 Exchange Email Safe Attachment Rule Disabled
elasticlow
M365 Exchange Email Safe Link Policy Disabled
elasticmedium
M365 Exchange Mail Flow Transport Rule Modified
elasticmedium
M365 Exchange Mailbox Audit Logging Bypass Added
elasticmedium
M365 Exchange Malware Filter Policy Deleted
elasticmedium
M365 Exchange Malware Filter Rule Modified
elasticmedium
M365 SharePoint Site Sharing Policy Weakened
elasticmedium
M365 Teams Custom Application Interaction Enabled
elasticmedium
Microsoft Windows Defender Tampering
elasticmedium
Modification of AmsiEnable Registry Key
elastichigh
Modification of Safari Settings via Defaults Command
elasticmedium
Network-Level Authentication (NLA) Disabled
elasticlow
O365 Block User Consent For Risky Apps Disabled
splunk_escu
Potential Antimalware Scan Interface Bypass via PowerShell
elastichigh
Potential Disabling of AppArmor
elastichigh
Potential Disabling of SELinux
elastichigh
Potential Evasion via Filter Manager
elasticmedium
Potential Evasion via Windows Filtering Platform
elasticmedium
Potential HTTP Downgrade Attack
elasticlow
Potential NetNTLMv1 Downgrade Attack
elasticmedium
Potential Privacy Control Bypass via TCCDB Modification
elasticmedium
Potential RemoteMonologue Attack
elasticmedium
Potential Suspicious Activity Using SeCEdit
sigmamedium
Potential Windows Defender Tampering Via Wmic.EXE
sigmahigh
PowerShell Script Block Logging Disabled
elasticmedium
PowerShell Script with Windows Defender Tampering Capabilities
elasticmedium
Quarantine Attrib Removed by Unsigned or Untrusted Process
elasticmedium
Remote Desktop Enabled in Windows Firewall by Netsh
elasticmedium
Removal Of Index Value to Hide Schedule Task - Registry
sigmamedium
Removal Of SD Value to Hide Schedule Task - Registry
sigmamedium
Scheduled Tasks AT Command Enabled
elasticmedium
SELinux Configuration Creation or Renaming
elasticlow
Sensitive Audit Policy Sub-Category Disabled
elasticmedium
SoftwareUpdate Preferences Modification
elasticmedium
SolarWinds Process Disabling Services via Registry
elasticmedium
Suspicious Antimalware Scan Interface DLL
elastichigh
Suspicious Kernel Feature Activity
elasticmedium
Suspicious Write Attempt to AppArmor Policy Management Files
elasticmedium
Sysmon Application Crashed
sigmahigh
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners
elasticmedium
Unloading AMSI via Reflection
splunk_escu
WDAC Policy File by an Unusual Process
elastichigh
WFP Filter Added via Registry
sigmamedium
Windows Defender Disabled via Registry Modification
elasticlow
Windows Defender Exclusions Added - PowerShell
sigmamedium
Windows Defender Exclusions Added via PowerShell
elasticmedium
Windows Filtering Platform Blocked Connection From EDR Agent Binary
sigmahigh
Windows Firewall Disabled via PowerShell
elasticmedium
Windows Firewall Disabled via PowerShell
sigmamedium
Windows Increase in Group or Object Modification Activity
splunk_escu
Windows Increase in User Modification Activity
splunk_escu
Windows Outlook Dialogs Disabled from Unusual Process
splunk_escu
Windows Registry Delete Task SD
splunk_escu
Write Protect For Storage Disabled
sigmamedium