EXPLORE
← Back to Explore
T1562

Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to...

WindowsIaaSLinuxmacOSContainersNetwork DevicesIdentity ProviderOffice SuiteESXi
202
Detections
4
Sources
2
Threat Actors

BY SOURCE

148elastic27sigma18splunk_escu9kql

PROCEDURES (95)

General Monitoring14 detections

Auto-extracted: 14 detections for general monitoring

Network Connection Monitoring7 detections

Auto-extracted: 7 detections for network connection monitoring

Api6 detections

Auto-extracted: 6 detections for api

Cloud6 detections

Auto-extracted: 6 detections for cloud

Cloud Monitoring4 detections

Auto-extracted: 4 detections for cloud monitoring

Script Execution Monitoring4 detections

Auto-extracted: 4 detections for script execution monitoring

Azure3 detections

Auto-extracted: 3 detections for azure

Aws3 detections

Auto-extracted: 3 detections for aws

Container3 detections

Auto-extracted: 3 detections for container

Powershell3 detections

Auto-extracted: 3 detections for powershell

Service3 detections

Auto-extracted: 3 detections for service

Persist3 detections

Auto-extracted: 3 detections for persist

Azure3 detections

Auto-extracted: 3 detections for azure

C23 detections

Auto-extracted: 3 detections for c2

Evasion3 detections

Auto-extracted: 3 detections for evasion

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

Registry3 detections

Auto-extracted: 3 detections for registry

Phish3 detections

Auto-extracted: 3 detections for phish

Kernel3 detections

Auto-extracted: 3 detections for kernel

Dns2 detections

Auto-extracted: 2 detections for dns

Credential2 detections

Auto-extracted: 2 detections for credential

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Unusual2 detections

Auto-extracted: 2 detections for unusual

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Privilege2 detections

Auto-extracted: 2 detections for privilege

Tamper2 detections

Auto-extracted: 2 detections for tamper

Lateral2 detections

Auto-extracted: 2 detections for lateral

Service2 detections

Auto-extracted: 2 detections for service

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Event Log2 detections

Auto-extracted: 2 detections for event log

Service Monitoring2 detections

Auto-extracted: 2 detections for service monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Email Security1 detections

Auto-extracted: 1 detections for email security

Attachment1 detections

Auto-extracted: 1 detections for attachment

Tamper1 detections

Auto-extracted: 1 detections for tamper

Amsi1 detections

Auto-extracted: 1 detections for amsi

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Bypass1 detections

Auto-extracted: 1 detections for bypass

Script Block1 detections

Auto-extracted: 1 detections for script block

Download1 detections

Auto-extracted: 1 detections for download

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Email1 detections

Auto-extracted: 1 detections for email

Registry1 detections

Auto-extracted: 1 detections for registry

Attachment1 detections

Auto-extracted: 1 detections for attachment

C21 detections

Auto-extracted: 1 detections for c2

Persist1 detections

Auto-extracted: 1 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Inject1 detections

Auto-extracted: 1 detections for inject

Credential1 detections

Auto-extracted: 1 detections for credential

Token1 detections

Auto-extracted: 1 detections for token

Script Block1 detections

Auto-extracted: 1 detections for script block

Amsi1 detections

Auto-extracted: 1 detections for amsi

Http1 detections

Auto-extracted: 1 detections for http

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Kernel1 detections

Auto-extracted: 1 detections for kernel

Bypass1 detections

Auto-extracted: 1 detections for bypass

Email1 detections

Auto-extracted: 1 detections for email

Script Block1 detections

Auto-extracted: 1 detections for script block

Azure1 detections

Auto-extracted: 1 detections for azure

Kernel1 detections

Auto-extracted: 1 detections for kernel

Tamper1 detections

Auto-extracted: 1 detections for tamper

Lateral1 detections

Auto-extracted: 1 detections for lateral

Email1 detections

Auto-extracted: 1 detections for email

Amsi1 detections

Auto-extracted: 1 detections for amsi

Tamper1 detections

Auto-extracted: 1 detections for tamper

Unusual1 detections

Auto-extracted: 1 detections for unusual

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Token1 detections

Auto-extracted: 1 detections for token

Bypass1 detections

Auto-extracted: 1 detections for bypass

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Http1 detections

Auto-extracted: 1 detections for http

Tamper1 detections

Auto-extracted: 1 detections for tamper

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Download1 detections

Auto-extracted: 1 detections for download

Inject1 detections

Auto-extracted: 1 detections for inject

Bypass1 detections

Auto-extracted: 1 detections for bypass

Cloud1 detections

Auto-extracted: 1 detections for cloud

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

THREAT ACTORS (2)

DETECTIONS (202)

Advanced Feature Disabled
kql
AppArmor Policy Interface Access
elasticlow
AppArmor Policy Violation Detected
elasticlow
AppArmor Profile Compilation via apparmor_parser
elasticlow
Application Removed from Blocklist in Google Workspace
elasticmedium
Attempt to Clear Kernel Ring Buffer
elastichigh
Attempt to Clear Logs via Journalctl
elasticmedium
Attempt to Deactivate an Okta Network Zone
elasticmedium
Attempt to Deactivate an Okta Policy
elasticlow
Attempt to Deactivate an Okta Policy Rule
elasticmedium
Attempt to Delete an Okta Network Zone
elasticmedium
Attempt to Delete an Okta Policy
elasticmedium
Attempt to Delete an Okta Policy Rule
elasticlow
Attempt to Disable Auditd Service
elasticmedium
Attempt to Disable IPTables or Firewall
elasticmedium
Attempt to Disable Syslog Service
elasticmedium
Attempt to Modify an Okta Network Zone
elasticmedium
Attempt to Modify an Okta Policy
elasticlow
Attempt to Modify an Okta Policy Rule
elasticlow
Attempt to Unload Elastic Endpoint Security Kernel Extension
elastichigh
AWS Backup Vault Deleted or Vault Lock Removed
elastichigh
AWS Bedrock API Key Used for Destructive or Anti-Recovery Action
elastichigh
AWS Bedrock Automated Reasoning Safety Policy Tampering
elasticmedium
AWS Bedrock Guardrail Deleted or Weakened
elasticmedium
AWS Bedrock Model Invocation Logging Disabled or Modified
elastichigh
AWS CloudTrail Log Created
elasticlow
AWS CloudTrail Log Deleted
elasticmedium
AWS CloudTrail Log Evasion
elasticmedium
AWS CloudTrail Log Suspended
elastichigh
AWS CloudTrail Log Updated
elastichigh
AWS CloudWatch Alarm Deletion
elasticmedium
AWS CloudWatch Log Group Deletion
elasticmedium
AWS CloudWatch Log Stream Deletion
elasticmedium
AWS Config Resource Deletion
elasticmedium
AWS Configuration Recorder Stopped
elastichigh
AWS EC2 Network Access Control List Creation
elasticlow
AWS EC2 Network Access Control List Deletion
elasticmedium
AWS EC2 Security Group Configuration Change
elasticlow
AWS EC2 Serial Console Access Enabled
elastichigh
AWS EKS Control Plane Logging Disabled
elastichigh
AWS EventBridge Rule Disabled or Deleted
elasticlow
AWS GuardDuty Detector Deletion
elastichigh
AWS GuardDuty Member Account Manipulation
elastichigh
AWS KMS Key Policy Updated via PutKeyPolicy
elasticmedium
AWS Route 53 Domain Transfer Lock Disabled
elastichigh
AWS Route 53 Resolver Query Log Configuration Deleted
elasticmedium
AWS S3 Bucket Configuration Deletion
elasticlow
AWS S3 Bucket Expiration Lifecycle Configuration Added
elasticlow
AWS S3 Bucket Server Access Logging Disabled
elastichigh
AWS SecurityHub Findings Evasion
sigmahigh
AWS SQS Queue Purge
elasticmedium
AWS VPC Flow Logs Deletion
elastichigh
AWS WAF Access Control List Deletion
elasticmedium
AWS WAF Rule or Rule Group Deletion
elasticmedium
Azure AD Block User Consent For Risky Apps Disabled
splunk_escu
Azure Diagnostic Settings Alert Suppression Rule Created or Modified
elasticlow
Azure Diagnostic Settings Deleted
elasticmedium
Azure Event Hub Deleted
elasticmedium
Azure Kubernetes Events Deleted
sigmamedium
Azure Kubernetes Services (AKS) Kubernetes Events Deleted
elasticmedium
Azure Resource Group Deleted
elasticmedium
Azure VNet Firewall Front Door WAF Policy Deleted
elasticlow
Azure VNet Firewall Policy Deleted
elasticlow
Azure VNet Network Watcher Deleted
elasticmedium
BPF filter applied using TC
elastichigh
BPF Program Tampering via bpftool
elasticmedium
Cisco ASA - Core Syslog Message Volume Drop
splunk_escu
Cisco ASA - Logging Disabled via CLI
splunk_escu
Cisco ASA - Logging Filters Configuration Tampering
splunk_escu
Clearing Windows Event Logs
elasticlow
Decline in host-based traffic
elasticlow
Defender AV Exclusion Events
kql
Defender For Endpoint Offboarding Package Downloaded
kql
Deprecated - M365 Exchange DLP Policy Deleted
elasticmedium
Deprecated - M365 Teams External Access Enabled
elasticmedium
Disable Or Stop Services
sigmamedium
Disable Windows Event and Security Logs Using Built-in Tools
elasticlow
Disable Windows Firewall Rules via Netsh
elasticmedium
Disabling Lsa Protection via Registry Modification
elastichigh
Disabling User Account Control via Registry Modification
elasticmedium
Disabling Windows Defender Security Settings via PowerShell
elasticmedium
DNS Global Query Block List Modified or Disabled
elasticmedium
DNS-over-HTTPS Enabled via Registry
elasticlow
Domain Added to Google Workspace Trusted Domains
elastichigh
Elastic Agent Service Terminated
elasticmedium
Elastic Defend Alert Followed by Telemetry Loss
elastichigh
Enable Host Network Discovery via Netsh
elasticmedium
ESXi Encryption Settings Modified
splunk_escu
ESXi Lockdown Mode Disabled
splunk_escu
ESXi Loghost Config Tampering
splunk_escu
ESXi VIB Acceptance Level Tampering
splunk_escu
ETW Logging Disabled For rpcrt4.dll
sigmalow
ETW Logging Disabled For SCM
sigmalow
ETW Logging Disabled In .NET Processes - Registry
sigmahigh
ETW Logging Disabled In .NET Processes - Sysmon Registry
sigmahigh
ETW Logging Tamper In .NET Processes Via CommandLine
sigmahigh
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
FortiGate - Firewall Address Object Added
sigmamedium
FortiGate - New Firewall Policy Added
sigmamedium
FortiGate Overly Permissive Firewall Policy Created
elastichigh
Gatekeeper Override and Execution
elastichigh
GCP Firewall Rule Creation
elasticlow
GCP Firewall Rule Deletion
elasticmedium
GCP Firewall Rule Modification
elasticmedium
GCP Logging Bucket Deletion
elasticmedium
GCP Logging Sink Deletion
elasticmedium
GCP Logging Sink Modification
elasticlow
GCP Pub/Sub Subscription Deletion
elasticlow
GCP Pub/Sub Topic Deletion
elasticlow
GCP Virtual Private Cloud Network Deletion
elasticmedium
GCP Virtual Private Cloud Route Creation
elasticlow
GCP Virtual Private Cloud Route Deletion
elasticmedium
GenAI CLI Started with Unsafe Permission Bypass
elasticmedium
GitHub App Deleted
elasticlow
GitHub Protected Branch Settings Changed
elasticmedium
GitHub Secret Scanning Disabled
elasticlow
GKE Admission Webhook Created or Modified
elasticmedium
Google Cloud Firewall Modified or Deleted
sigmamedium
Google Workspace Bitlocker Setting Disabled
elasticmedium
Google Workspace Restrictions for Marketplace Modified to Allow Any App
elasticmedium
HackTool - EDRSilencer Execution
sigmahigh
HackTool - EDRSilencer Execution - Filter Added
sigmahigh
Hide Schedule Task Via Index Value Tamper
sigmahigh
High Number of Process and/or Service Terminations
elasticmedium
High Number of Process Terminations
elasticmedium
IIS HTTP Logging Disabled
elastichigh
Insecure AWS EC2 VPC Security Group Ingress Rule Added
elasticmedium
Kerberos Pre-authentication Disabled for User
elasticmedium
Kernel Module Removal
elasticlow
Kill Command Execution
elasticlow
Kubernetes Admission Webhook Created or Modified
elasticmedium
Large Number of Analytics Rules Deleted
kql
List Alert Supression Actions
kql
Local Account TokenFilter Policy Disabled
elasticmedium
M365 Copilot Agentic Jailbreak Attack
splunk_escu
M365 Copilot Impersonation Jailbreak Attack
splunk_escu
M365 Copilot Information Extraction Jailbreak Attack
splunk_escu
M365 Copilot Non Compliant Devices Accessing M365 Copilot
splunk_escu
M365 Exchange Anti-Phish Policy Deleted
elasticmedium
M365 Exchange Anti-Phish Rule Modification
elasticmedium
M365 Exchange DKIM Signing Configuration Disabled
elasticmedium
M365 Exchange Email Safe Attachment Rule Disabled
elasticlow
M365 Exchange Email Safe Link Policy Disabled
elasticmedium
M365 Exchange Mail Flow Transport Rule Modified
elasticmedium
M365 Exchange Mailbox Audit Logging Bypass Added
elasticmedium
M365 Exchange Malware Filter Policy Deleted
elasticmedium
M365 Exchange Malware Filter Rule Modified
elasticmedium
M365 SharePoint Site Sharing Policy Weakened
elasticmedium
M365 Teams Custom Application Interaction Enabled
elasticmedium
Microsoft Windows Defender Tampering
elasticmedium
Modification of AmsiEnable Registry Key
elastichigh
Modification of Safari Settings via Defaults Command
elasticmedium
Network-Level Authentication (NLA) Disabled
elasticlow
O365 Block User Consent For Risky Apps Disabled
splunk_escu
Potential AMSI Bypass via RPC Runtime Hooking
elastichigh
Potential Antimalware Scan Interface Bypass via PowerShell
elastichigh
Potential Disabling of AppArmor
elastichigh
Potential Disabling of SELinux
elastichigh
Potential Evasion via Filter Manager
elasticmedium
Potential Evasion via Windows Filtering Platform
elasticmedium
Potential HTTP Downgrade Attack
elasticlow
Potential Kerberos Encryption Downgrade
kql
Potential NetNTLMv1 Downgrade Attack
elasticmedium
Potential Privacy Control Bypass via TCCDB Modification
elasticmedium
Potential RemoteMonologue Attack
elasticmedium
Potential Suspicious Activity Using SeCEdit
sigmamedium
Potential Windows Defender Tampering Via Wmic.EXE
sigmahigh
PowerShell Script Block Logging Disabled
elasticmedium
PowerShell Script with Windows Defender Tampering Capabilities
elasticmedium
Quarantine Attrib Removed by Unsigned or Untrusted Process
elasticmedium
Remote Desktop Enabled in Windows Firewall by Netsh
elasticmedium
Removal Of Index Value to Hide Schedule Task - Registry
sigmamedium
Removal Of SD Value to Hide Schedule Task - Registry
sigmamedium
Scheduled Tasks AT Command Enabled
elasticmedium
SELinux Configuration Creation or Renaming
elasticlow
Sensitive Audit Policy Sub-Category Disabled
elasticmedium
Sentinel Workspace Disconnected
kql
SoftwareUpdate Preferences Modification
elasticmedium
SolarWinds Process Disabling Services via Registry
elasticmedium
Suspicious Antimalware Scan Interface DLL
elastichigh
Suspicious Kernel Feature Activity
elasticmedium
Suspicious Write Attempt to AppArmor Policy Management Files
elasticmedium
Sysmon Application Crashed
sigmahigh
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners
elasticmedium
Terminate Linux Process Via Kill
sigmamedium
TTP Detection Rule: Abusing PowerShell to disable Defender components
kql
TTP Detection Rule: Suspicious network connection from MSBuild
kql
Unloading AMSI via Reflection
splunk_escu
WDAC Policy File by an Unusual Process
elastichigh
WFP Filter Added via Registry
sigmamedium
Windows Defender Disabled via Registry Modification
elasticlow
Windows Defender Exclusions Added - PowerShell
sigmamedium
Windows Defender Exclusions Added via PowerShell
elasticmedium
Windows Filtering Platform Blocked Connection From EDR Agent Binary
sigmahigh
Windows Firewall Disabled via PowerShell
elasticmedium
Windows Firewall Disabled via PowerShell
sigmamedium
Windows Increase in Group or Object Modification Activity
splunk_escu
Windows Increase in User Modification Activity
splunk_escu
Windows Outlook Dialogs Disabled from Unusual Process
splunk_escu