EXPLORE
Sign In
← Back to Explore
T1562

Impair Defenses

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators. Adversaries may also impair routine operations that contribute to...

WindowsIaaSLinuxmacOSContainersNetwork DevicesIdentity ProviderOffice SuiteESXi
194
Detections
4
Sources
2
Threat Actors

BY SOURCE

140elastic27sigma18splunk_escu9kql

PROCEDURES (95)

General Monitoring14 detections

Auto-extracted: 14 detections for general monitoring

Api7 detections

Auto-extracted: 7 detections for api

Network Connection Monitoring7 detections

Auto-extracted: 7 detections for network connection monitoring

Cloud6 detections

Auto-extracted: 6 detections for cloud

Script Execution Monitoring4 detections

Auto-extracted: 4 detections for script execution monitoring

Cloud Monitoring4 detections

Auto-extracted: 4 detections for cloud monitoring

Powershell3 detections

Auto-extracted: 3 detections for powershell

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

Phish3 detections

Auto-extracted: 3 detections for phish

Persist3 detections

Auto-extracted: 3 detections for persist

Azure3 detections

Auto-extracted: 3 detections for azure

Azure3 detections

Auto-extracted: 3 detections for azure

Kernel3 detections

Auto-extracted: 3 detections for kernel

C23 detections

Auto-extracted: 3 detections for c2

Powershell2 detections

Auto-extracted: 2 detections for powershell

Registry2 detections

Auto-extracted: 2 detections for registry

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Evasion2 detections

Auto-extracted: 2 detections for evasion

Aws2 detections

Auto-extracted: 2 detections for aws

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Service2 detections

Auto-extracted: 2 detections for service

Service Monitoring2 detections

Auto-extracted: 2 detections for service monitoring

Privilege2 detections

Auto-extracted: 2 detections for privilege

Credential2 detections

Auto-extracted: 2 detections for credential

Remote2 detections

Auto-extracted: 2 detections for remote

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Service2 detections

Auto-extracted: 2 detections for service

Event Log2 detections

Auto-extracted: 2 detections for event log

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Tamper2 detections

Auto-extracted: 2 detections for tamper

Container2 detections

Auto-extracted: 2 detections for container

Lateral2 detections

Auto-extracted: 2 detections for lateral

Dns2 detections

Auto-extracted: 2 detections for dns

Download1 detections

Auto-extracted: 1 detections for download

Amsi1 detections

Auto-extracted: 1 detections for amsi

Kernel1 detections

Auto-extracted: 1 detections for kernel

Unusual1 detections

Auto-extracted: 1 detections for unusual

Script Block1 detections

Auto-extracted: 1 detections for script block

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Email1 detections

Auto-extracted: 1 detections for email

Amsi1 detections

Auto-extracted: 1 detections for amsi

Tamper1 detections

Auto-extracted: 1 detections for tamper

Unusual1 detections

Auto-extracted: 1 detections for unusual

Powershell1 detections

Auto-extracted: 1 detections for powershell

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Tamper1 detections

Auto-extracted: 1 detections for tamper

Azure1 detections

Auto-extracted: 1 detections for azure

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Powershell1 detections

Auto-extracted: 1 detections for powershell

Remote1 detections

Auto-extracted: 1 detections for remote

Email1 detections

Auto-extracted: 1 detections for email

Registry1 detections

Auto-extracted: 1 detections for registry

Tamper1 detections

Auto-extracted: 1 detections for tamper

Http1 detections

Auto-extracted: 1 detections for http

Tamper1 detections

Auto-extracted: 1 detections for tamper

Amsi1 detections

Auto-extracted: 1 detections for amsi

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Lateral1 detections

Auto-extracted: 1 detections for lateral

Kernel1 detections

Auto-extracted: 1 detections for kernel

Email1 detections

Auto-extracted: 1 detections for email

Script Block1 detections

Auto-extracted: 1 detections for script block

Attachment1 detections

Auto-extracted: 1 detections for attachment

Persist1 detections

Auto-extracted: 1 detections for persist

C21 detections

Auto-extracted: 1 detections for c2

Privilege1 detections

Auto-extracted: 1 detections for privilege

Inject1 detections

Auto-extracted: 1 detections for inject

Tamper1 detections

Auto-extracted: 1 detections for tamper

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Download1 detections

Auto-extracted: 1 detections for download

Inject1 detections

Auto-extracted: 1 detections for inject

Bypass1 detections

Auto-extracted: 1 detections for bypass

Bypass1 detections

Auto-extracted: 1 detections for bypass

Cloud1 detections

Auto-extracted: 1 detections for cloud

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Email Security1 detections

Auto-extracted: 1 detections for email security

Attachment1 detections

Auto-extracted: 1 detections for attachment

Bypass1 detections

Auto-extracted: 1 detections for bypass

Amsi1 detections

Auto-extracted: 1 detections for amsi

Bypass1 detections

Auto-extracted: 1 detections for bypass

THREAT ACTORS (2)

BlackByteMagic Hound

DETECTIONS (194)

Advanced Feature Disabled
kql
AppArmor Policy Interface Access
elasticlow
AppArmor Policy Violation Detected
elasticlow
AppArmor Profile Compilation via apparmor_parser
elasticlow
Application Removed from Blocklist in Google Workspace
elasticmedium
Attempt to Clear Kernel Ring Buffer
elastichigh
Attempt to Clear Logs via Journalctl
elasticmedium
Attempt to Deactivate an Okta Network Zone
elasticmedium
Attempt to Deactivate an Okta Policy
elasticlow
Attempt to Deactivate an Okta Policy Rule
elasticmedium
Attempt to Delete an Okta Network Zone
elasticmedium
Attempt to Delete an Okta Policy
elasticmedium
Attempt to Delete an Okta Policy Rule
elasticlow
Attempt to Disable Auditd Service
elasticmedium
Attempt to Disable IPTables or Firewall
elasticmedium
Attempt to Disable Syslog Service
elasticmedium
Attempt to Modify an Okta Network Zone
elasticmedium
Attempt to Modify an Okta Policy
elasticlow
Attempt to Modify an Okta Policy Rule
elasticlow
Attempt to Unload Elastic Endpoint Security Kernel Extension
elastichigh
AWS CloudTrail Log Created
elasticlow
AWS CloudTrail Log Deleted
elasticmedium
AWS CloudTrail Log Evasion
elasticmedium
AWS CloudTrail Log Suspended
elasticmedium
AWS CloudTrail Log Updated
elasticlow
AWS CloudWatch Alarm Deletion
elasticmedium
AWS CloudWatch Log Group Deletion
elasticmedium
AWS CloudWatch Log Stream Deletion
elasticmedium
AWS Config Resource Deletion
elasticmedium
AWS Configuration Recorder Stopped
elastichigh
AWS EC2 Network Access Control List Creation
elasticlow
AWS EC2 Network Access Control List Deletion
elasticmedium
AWS EC2 Security Group Configuration Change
elasticlow
AWS EC2 Serial Console Access Enabled
elastichigh
AWS EKS Control Plane Logging Disabled
elasticmedium
AWS EventBridge Rule Disabled or Deleted
elasticlow
AWS GuardDuty Detector Deletion
elastichigh
AWS GuardDuty Member Account Manipulation
elasticmedium
AWS KMS Key Policy Updated via PutKeyPolicy
elasticmedium
AWS Route 53 Domain Transfer Lock Disabled
elastichigh
AWS Route 53 Resolver Query Log Configuration Deleted
elasticmedium
AWS S3 Bucket Configuration Deletion
elasticlow
AWS S3 Bucket Expiration Lifecycle Configuration Added
elasticlow
AWS S3 Bucket Server Access Logging Disabled
elasticmedium
AWS SecurityHub Findings Evasion
sigmahigh
AWS SQS Queue Purge
elasticmedium
AWS VPC Flow Logs Deletion
elastichigh
AWS WAF Access Control List Deletion
elasticmedium
AWS WAF Rule or Rule Group Deletion
elasticmedium
Azure AD Block User Consent For Risky Apps Disabled
splunk_escu
Azure Diagnostic Settings Alert Suppression Rule Created or Modified
elasticlow
Azure Diagnostic Settings Deleted
elasticmedium
Azure Event Hub Deleted
elasticmedium
Azure Kubernetes Events Deleted
sigmamedium
Azure Kubernetes Services (AKS) Kubernetes Events Deleted
elasticmedium
Azure Resource Group Deleted
elasticmedium
Azure VNet Firewall Front Door WAF Policy Deleted
elasticlow
Azure VNet Firewall Policy Deleted
elasticlow
Azure VNet Network Watcher Deleted
elasticmedium
BPF filter applied using TC
elastichigh
BPF Program Tampering via bpftool
elasticmedium
Cisco ASA - Core Syslog Message Volume Drop
splunk_escu
Cisco ASA - Logging Disabled via CLI
splunk_escu
Cisco ASA - Logging Filters Configuration Tampering
splunk_escu
Clearing Windows Event Logs
elasticlow
Decline in host-based traffic
elasticlow
Defender AV Exclusion Events
kql
Defender For Endpoint Offboarding Package Downloaded
kql
Deprecated - M365 Exchange DLP Policy Deleted
elasticmedium
Deprecated - M365 Teams External Access Enabled
elasticmedium
Disable Or Stop Services
sigmamedium
Disable Windows Event and Security Logs Using Built-in Tools
elasticlow
Disable Windows Firewall Rules via Netsh
elasticmedium
Disabling Lsa Protection via Registry Modification
elastichigh
Disabling User Account Control via Registry Modification
elasticmedium
Disabling Windows Defender Security Settings via PowerShell
elasticmedium
DNS Global Query Block List Modified or Disabled
elasticmedium
DNS-over-HTTPS Enabled via Registry
elasticlow
Domain Added to Google Workspace Trusted Domains
elastichigh
Elastic Agent Service Terminated
elasticmedium
Elastic Defend Alert Followed by Telemetry Loss
elastichigh
Enable Host Network Discovery via Netsh
elasticmedium
ESXi Encryption Settings Modified
splunk_escu
ESXi Lockdown Mode Disabled
splunk_escu
ESXi Loghost Config Tampering
splunk_escu
ESXi VIB Acceptance Level Tampering
splunk_escu
ETW Logging Disabled For rpcrt4.dll
sigmalow
ETW Logging Disabled For SCM
sigmalow
ETW Logging Disabled In .NET Processes - Registry
sigmahigh
ETW Logging Disabled In .NET Processes - Sysmon Registry
sigmahigh
ETW Logging Tamper In .NET Processes Via CommandLine
sigmahigh
Filter Driver Unloaded Via Fltmc.EXE
sigmamedium
FortiGate - Firewall Address Object Added
sigmamedium
FortiGate - New Firewall Policy Added
sigmamedium
FortiGate Overly Permissive Firewall Policy Created
elastichigh
Gatekeeper Override and Execution
elastichigh
GCP Firewall Rule Creation
elasticlow
GCP Firewall Rule Deletion
elasticmedium
GCP Firewall Rule Modification
elasticmedium
GCP Logging Bucket Deletion
elasticmedium
GCP Logging Sink Deletion
elasticmedium
GCP Logging Sink Modification
elasticlow
GCP Pub/Sub Subscription Deletion
elasticlow
GCP Pub/Sub Topic Deletion
elasticlow
GCP Virtual Private Cloud Network Deletion
elasticmedium
GCP Virtual Private Cloud Route Creation
elasticlow
GCP Virtual Private Cloud Route Deletion
elasticmedium
GitHub App Deleted
elasticlow
GitHub Protected Branch Settings Changed
elasticmedium
GitHub Secret Scanning Disabled
elasticlow
Google Cloud Firewall Modified or Deleted
sigmamedium
Google Workspace Bitlocker Setting Disabled
elasticmedium
Google Workspace Restrictions for Marketplace Modified to Allow Any App
elasticmedium
HackTool - EDRSilencer Execution
sigmahigh
HackTool - EDRSilencer Execution - Filter Added
sigmahigh
Hide Schedule Task Via Index Value Tamper
sigmahigh
High Number of Process and/or Service Terminations
elasticmedium
High Number of Process Terminations
elasticmedium
IIS HTTP Logging Disabled
elastichigh
Insecure AWS EC2 VPC Security Group Ingress Rule Added
elasticmedium
Kerberos Pre-authentication Disabled for User
elasticmedium
Kernel Module Removal
elasticlow
Kill Command Execution
elasticlow
Kubernetes Admission Webhook Created or Modified
elasticmedium
Large Number of Analytics Rules Deleted
kql
List Alert Supression Actions
kql
Local Account TokenFilter Policy Disabled
elasticmedium
M365 Copilot Agentic Jailbreak Attack
splunk_escu
M365 Copilot Impersonation Jailbreak Attack
splunk_escu
M365 Copilot Information Extraction Jailbreak Attack
splunk_escu
M365 Copilot Non Compliant Devices Accessing M365 Copilot
splunk_escu
M365 Exchange Anti-Phish Policy Deleted
elasticmedium
M365 Exchange Anti-Phish Rule Modification
elasticmedium
M365 Exchange DKIM Signing Configuration Disabled
elasticmedium
M365 Exchange Email Safe Attachment Rule Disabled
elasticlow
M365 Exchange Email Safe Link Policy Disabled
elasticmedium
M365 Exchange Mail Flow Transport Rule Modified
elasticmedium
M365 Exchange Mailbox Audit Logging Bypass Added
elasticmedium
M365 Exchange Malware Filter Policy Deleted
elasticmedium
M365 Exchange Malware Filter Rule Modified
elasticmedium
M365 SharePoint Site Sharing Policy Weakened
elasticmedium
M365 Teams Custom Application Interaction Enabled
elasticmedium
Microsoft Windows Defender Tampering
elasticmedium
Modification of AmsiEnable Registry Key
elastichigh
Modification of Safari Settings via Defaults Command
elasticmedium
Network-Level Authentication (NLA) Disabled
elasticlow
O365 Block User Consent For Risky Apps Disabled
splunk_escu
Potential Antimalware Scan Interface Bypass via PowerShell
elastichigh
Potential Disabling of AppArmor
elastichigh
Potential Disabling of SELinux
elastichigh
Potential Evasion via Filter Manager
elasticmedium
Potential Evasion via Windows Filtering Platform
elasticmedium
Potential HTTP Downgrade Attack
elasticlow
Potential Kerberos Encryption Downgrade
kql
Potential NetNTLMv1 Downgrade Attack
elasticmedium
Potential Privacy Control Bypass via TCCDB Modification
elasticmedium
Potential RemoteMonologue Attack
elasticmedium
Potential Suspicious Activity Using SeCEdit
sigmamedium
Potential Windows Defender Tampering Via Wmic.EXE
sigmahigh
PowerShell Script Block Logging Disabled
elasticmedium
PowerShell Script with Windows Defender Tampering Capabilities
elasticmedium
Quarantine Attrib Removed by Unsigned or Untrusted Process
elasticmedium
Remote Desktop Enabled in Windows Firewall by Netsh
elasticmedium
Removal Of Index Value to Hide Schedule Task - Registry
sigmamedium
Removal Of SD Value to Hide Schedule Task - Registry
sigmamedium
Scheduled Tasks AT Command Enabled
elasticmedium
SELinux Configuration Creation or Renaming
elasticlow
Sensitive Audit Policy Sub-Category Disabled
elasticmedium
Sentinel Workspace Disconnected
kql
SoftwareUpdate Preferences Modification
elasticmedium
SolarWinds Process Disabling Services via Registry
elasticmedium
Suspicious Antimalware Scan Interface DLL
elastichigh
Suspicious Kernel Feature Activity
elasticmedium
Suspicious Write Attempt to AppArmor Policy Management Files
elasticmedium
Sysmon Application Crashed
sigmahigh
Sysmon Driver Unloaded Via Fltmc.EXE
sigmahigh
Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners
elasticmedium
Terminate Linux Process Via Kill
sigmamedium
TTP Detection Rule: Abusing PowerShell to disable Defender components
kql
TTP Detection Rule: Suspicious network connection from MSBuild
kql
Unloading AMSI via Reflection
splunk_escu
WDAC Policy File by an Unusual Process
elastichigh
WFP Filter Added via Registry
sigmamedium
Windows Defender Disabled via Registry Modification
elasticlow
Windows Defender Exclusions Added - PowerShell
sigmamedium
Windows Defender Exclusions Added via PowerShell
elasticmedium
Windows Filtering Platform Blocked Connection From EDR Agent Binary
sigmahigh
Windows Firewall Disabled via PowerShell
elasticmedium
Windows Firewall Disabled via PowerShell
sigmamedium
Windows Increase in Group or Object Modification Activity
splunk_escu
Windows Increase in User Modification Activity
splunk_escu
Windows Outlook Dialogs Disabled from Unusual Process
splunk_escu
Windows Registry Delete Task SD
splunk_escu
Write Protect For Storage Disabled
sigmamedium