detection.wiki

ATT&CK coverage › Technique

Impair Defenses: Disable or Modify Tools T1562.001

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.

Events covered

34 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon7Image loaded
Sysmon10ProcessAccess
Sysmon11FileCreate
Sysmon12RegistryEvent (Object create and delete)
Sysmon13RegistryEvent (Value Set)
Sysmon14RegistryEvent (Key and Value Rename)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4656A handle to an object was requested.
Security-Auditing4657A registry value was modified.
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4673A privileged service was called.
Security-Auditing4688A new process has been created.
Security-Auditing4719System audit policy was changed.
Security-Auditing4738A user account was changed.
Security-Auditing5136A directory service object was modified.
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Application-Error1000Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
Defender-DeviceProcessEvents9001000Process activity (any)
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Defender1009ProductName has restored an item from quarantine.
Windows-Defender3002ProductName Real-Time Protection feature has encountered an error and failed.
Windows-Defender3007ProductName Real-time Protection feature has restarted.
Windows-Defender5001Product Name Real-time Protection scanning for malware and other potentially unwanted software was disabled.
Windows-Defender5007Product Name Configuration has changed.
Windows-Defender5010ProductName scanning for spyware and other potentially unwanted software is disabled.
Windows-Defender5012ProductName scanning for viruses is disabled.
Windows-Defender5013Tamper Protection Changed Type a change to Product Name.
Windows-Defender5101{Product Name} grace period has expired.
PowerShell600
Service-Control-Manager7036The Microsoft Software Shadow Copy Provider service entered the stopped state.
Service-Control-Manager7040The start type of the msdsm service was changed from boot start to demand start.
Windows-Error-Reporting1001Fault bucket , type.

Authoring guide

Patterns shared across the 171 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (47 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Details74eq 64, is_not_null 19, match 6, in 3, ends_with 1"0x00000001", "0x00000000", DWORD (0x00000000), DWORD (0x00000001), 0x00000001
registry_path49eq 48, in 2"*\\Microsoft\\Windows Defender\\SpyNet*", "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable", "*\\Policies\\Microsoft\\Windows Defender*", "*Microsoft\\Windows Defender\\Reporting*", "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*"
CommandLine44match 43, in 1, eq 1\SYSTEM\CurrentControlSet\Control\SafeBoot, add, si , Set-ItemProperty , Set-MpPreference
Image40ends_with 36, match 6, starts_with 4, eq 1\reg.exe, \powershell.exe, \pwsh.exe, C:\ProgramData\Microsoft\Windows Defender\Platform\, \MsMpEng.exe
TargetObject30ends_with 18, match 17, eq 1Ime File, \Control\Keyboard Layouts\, \Lsa\LsaCfgFlags, \DeviceGuard\LsaCfgFlags, \Software\Microsoft\Windows Script\Settings\AmsiEnable
OriginalFileName25eq 25reg.exe, PowerShell.EXE, pwsh.dll, sc.exe, RstrtMgr.dll
EventID11eq 114104, 4719, 5136, 7040, 4656
registry_value_name11eq 9, in 2"DisableAntiSpyware", "DisableAntiVirus", DisableBlockAtFirstSeen, DisableEnhancedNotifications, MpEnablePus
ScriptBlockText8match 5, eq 3[Ref].Assembly.GetType, NonPublic,Static, SetValue($null,$true), Windows-Defender-Features, -Online
EventType4eq 4deleted, windows-firewall-packet-drop, windows-firewall-packet-block, DeleteValue
ObjectName4match 3, eq 1, is_not_null 1\Microsoft\Windows Defender\Exclusions\, HealthService, \Control\Lsa, \REGISTRY\MACHINE\SYSTEM, ControlSet
CallTrace3match 2, regex_match 1^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Wi..., \dbgcore.dll, \dbghelp.dll, dbghelp.dll, dbgcore.dll
Description3eq 3System activity monitor, Stracciatella
ImageLoaded3ends_with 3\RstrtMgr.dll, \dbgcore.dll, \dbghelp.dll
Data3match 3MsMpEng.exe, mpengine.dll, -DisableRealtimeMonitoring 1, Set-MpPreference, -DisableIOAVProtection $true

Top indicator values (1404 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
Detailseq"0x00000000"1727
Detailseq"0x00000001"1742
DetailseqDWORD (0x00000000)1338
OriginalFileNameeqreg.exe1129
Imageends_with\reg.exe1046
Imageends_with\powershell.exe10143
OriginalFileNameeqPowerShell.EXE964
Imageends_with\pwsh.exe8140
OriginalFileNameeqpwsh.dll872
DetailseqDWORD (0x00000001)737
CommandLinematchdelete37
Imageends_with\sc.exe317
OriginalFileNameeqsc.exe310
CommandLinematchadd316
CommandLinematchsi 34
CommandLinematchadd 39
CommandLinematchSet-ItemProperty 33
CommandLinematchNew-ItemProperty 33
Imagematch:\Users\Public\314
Imagematch:\Perflogs\37

Common exclusions (1 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
old_dneqnew_dn1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 107 rules

Elastic 1 rule

Splunk 61 rules

Kusto Query Language 2 rules