Impair Defenses T1562

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Events covered

35 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 5Process terminated
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4660An object was deleted.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4670Permissions on an object were changed.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4689A process has exited.
Security-AuditingEvent ID 4719System audit policy was changed.
Security-AuditingEvent ID 4738A user account was changed.
Security-AuditingEvent ID 4950A Windows Firewall setting has changed.
Security-AuditingEvent ID 5123A configuration entry changed in the OCSP Responder Service.
Security-AuditingEvent ID 5152The Windows Filtering Platform blocked a packet.
Security-AuditingEvent ID 5157The Windows Filtering Platform has blocked a connection.
Security-AuditingEvent ID 5447A Windows Filtering Platform filter has been changed.
Security-AuditingEvent ID 5448A Windows Filtering Platform provider has been changed.
Defender-DeviceProcessEventsanyProcess activity (any)
Defender-DeviceRegistryEventsanyRegistry activity (any)
Defender-DeviceRegistryEventsRegistryKeyDeletedRegistry key deleted
Defender-DeviceRegistryEventsRegistryValueSetRegistry value set
Defender-DeviceRegistryEventsRegistryValueDeletedRegistry value deleted
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-DefenderEvent ID 3002ProductName Real-Time Protection feature has encountered an error and failed.
Windows-DefenderEvent ID 5007Product Name Configuration has changed.
Windows-Firewall-With-Advanced-SecurityEvent ID 2003A Windows Defender Firewall setting in the Profiles profile has changed.
Windows-Firewall-With-Advanced-SecurityEvent ID 2004A rule has been added to the Windows Defender Firewall exception list.
Windows-Firewall-With-Advanced-SecurityEvent ID 2005A rule has been modified in the Windows Defender Firewall exception list.
PowerShellEvent ID 800Event ID 800

Authoring guide

Patterns shared across the 92 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (48 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID23eq 234688, 4104, 1, 4103, 4656
event.type22eq 21, in 1change, start, creation
CommandLine19contains 18, starts_with 2, regex_match 1advfirewall, firewall, -enc, a, d
Details19eq 14, contains 4, in 20x00000000, 0x00000001, 0, 1, 0x00000004
process_name17eq 11, match 3, in 1, regex_match 1, wildcard 1powershell.exe, powershell_ise.exe, pwsh.exe, (?i)cmd|powershell|netsh|net1?|sc.exe|reg.exe, netsh.exe
registry_value_name12eq 12AmsiEnable, ConsentPromptBehaviorAdmin, DisableAntiSpyware, DisableBehaviorMonitoring, DisableBlockAtFirstSeen
TargetObject11wildcard 6, ends_with 4, eq 1, starts_with 1*\system\*controlset*\control\lsa\runasppl, *\system\*controlset*\services\*\start, \registry\machine\*\localaccounttokenfilterpolicy, \registry\machine\software\policies\microsoft\windows..., \registry\machine\system\*controlset*\control\terminal...
process.args10eq 7, contains 2, wildcard 2, starts_with 1advfirewall, firewall, -Disable*, -Exclusion*, -all
EventData9contains 9add-mppreference, set-mppreference, /deny=s-1-5-18, /deny=system, /grant=s-1-5-18=r
EventType8eq 3, ne 3, in 2RegistryValueSet, deletion, RegistryKeyCreated, SetValue, windows-firewall-packet-block
Image8ends_with 7, eq 1, regex_match 1\netsh.exe, \\reg\.exe$, \auditpol.exe, \reg.exe, \sc.exe
OriginalFileName7in 5, eq 4powershell.exe, powershell_ise.exe, pwsh.dll, appcmd.exe, auditpol.exe
Payload6contains 6add-mppreference, 22, action, allow, disablearchivescanning
ScriptBlockText6contains 6add-mppreference, 22, action, allow, disablearchivescanning
Type5eq 5

Top indicator values (793 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
change
1146
event.typeeq
start
10241
EventIDeq
4688
9312
EventIDeq
4104
6268
EventIDeq
1
3232
EventIDeq
4103
3105
EventIDeq
4656
319
Detailseq
0
612
Detailseq
0x00000000
643
Detailseq
1
612
Detailseq
0x00000001
563
EventDatacontains
set-mppreference
55
EventDatacontains
add-mppreference
44
OriginalFileNamein
powershell.exe
517
OriginalFileNamein
powershell_ise.exe
59
OriginalFileNamein
pwsh.dll
510
process_nameeq
powershell.exe
599
process_nameeq
powershell_ise.exe
550
process_nameeq
pwsh.exe
560
process_nameeq
netsh.exe
318
CommandLinecontains
netsh
49
CommandLinecontains
advfirewall
37
CommandLinecontains
firewall
313
CommandLinecontains
-exclusionpath
22
CommandLinecontains
disable
27
CommandLinecontains
set
211
EventTypene
deletion
35
Imageends_with
\netsh.exe
329
dc_processge
1
33
process_namematch
(?i)cmd|powershell|netsh|net1?|sc.exe|reg.exe
33

Exclusions (58 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
user.ideq
S-1-5-18
3
Imagewildcard
?:\windows\system32\deviceenroller.exe
2
Imagewildcard
?:\windows\system32\svchost.exe
2
Imagewildcard
\device\harddiskvolume*\windows\system32\deviceenroller.exe
2
Imagewildcard
\device\harddiskvolume*\windows\system32\svchost.exe
2
Detailseq
0x00000001
1
Detailseq
0x00000002
1
Detailseq
1
1
Detailseq
2
1
Esql.winlog_AuditPolicyChangesDescription_valuescontains
success added
1
Imageeq
?:\program files (x86)\trend micro\security agent\ntrmv.exe
1
Imageeq
?:\windows\system32\securityhealthservice.exe
1
Imageeq
?:\windows\system32\services.exe
1
Imageeq
?:\windows\system32\svchost.exe
1
Imageeq
c:\program files (x86)\teamviewer\teamviewer.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 28 rules

Elastic 28 rules

Splunk 23 rules

Kusto 12 rules

YARA-L 1 rule