Impair Defenses T1562
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Events covered
35 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 92 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (48 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (793 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (58 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 28 rules
- Audit policy disabled by command line
- Audit policy disabled by command line
- Event log deactivation or size reduction (command)
- Firewall deactivation (deprecated command)
- Firewall deactivation (firewall)
- Firewall deactivation (modern command)
- Firewall deactivation (PowerShell)
- Firewall rule added using PowerShell or CMD
- Firewall rule any/any created
- Firewall rule creation (command)
- Microsoft Defender critical security components disabled (command)
- Microsoft Defender critical security components disabled (PowerShell)
- Microsoft Defender default action changed to allow any threat (command)
- Microsoft Defender default action changed to allow any threat (PowerShell)
- Microsoft Defender real time protection failure (native)
- Microsoft Defender security components disabled (command)
- Microsoft Defender security components disabled (PowerShell)
- Microsoft Defender service components status disabled (Registry via Sysmon)
- Microsoft Defender service deactivation attempt (command)
- Microsoft Defender threat exclusion added (native)
- Microsoft Defender threat exclusion added (PowerShell)
- NTLM downgrade attack (Reg via SYSMON)
- OCSP responder auditing settings changed or disabled
- OpenSSH server firewall configuration on Windows (command)
- OpenSSH server firewall configuration on Windows (firewall)
- OpenSSH server firewall configuration on Windows (PowerShell)
- Wdigest authentication enabled (Reg via command)
- Wdigest authentication enabled (registry)
Elastic 28 rules
- Clearing Windows Event Logs
- Disable Windows Event and Security Logs Using Built-in Tools
- Disable Windows Firewall Rules via Netsh
- Disabling Lsa Protection via Registry Modification
- Disabling User Account Control via Registry Modification
- Disabling Windows Defender Security Settings via PowerShell
- DNS Global Query Block List Modified or Disabled
- DNS-over-HTTPS Enabled via Registry
- Enable Host Network Discovery via Netsh
- IIS HTTP Logging Disabled
- Kerberos Pre-authentication Disabled for User
- Local Account TokenFilter Policy Disabled
- Microsoft Windows Defender Tampering
- Modification of AmsiEnable Registry Key
- Network-Level Authentication (NLA) Disabled
- Potential Evasion via Filter Manager
- Potential Evasion via Windows Filtering Platform
- Potential NetNTLMv1 Downgrade Attack
- Potential RemoteMonologue Attack
- PowerShell Script Block Logging Disabled
- Remote Desktop Enabled in Windows Firewall by Netsh
- Scheduled Tasks AT Command Enabled
- Sensitive Audit Policy Sub-Category Disabled
- Service Disabled via Registry Modification
- SolarWinds Process Disabling Services via Registry
- Windows Defender Disabled via Registry Modification
- Windows Defender Exclusions Added via PowerShell
- Windows Firewall Disabled via PowerShell
Splunk 23 rules
- Defender Registry Values Modified (Sysmon)
- Defender Registry Values Modified (Windows Event Log)
- ETW Trace Provider Modified - PowerShell (PowerShell)
- Modify Windows Defender (EDR)
- Modify Windows Defender (PowerShell)
- Modify Windows Defender (Sysmon)
- Modify Windows Defender (Windows Event Log)
- Service Stop Commands (PowerShell)
- Service Stop Commands (Sysmon)
- Service Stop Commands (Windows Event Log)
- WFP Blocked Connection from EDR Agent (Windows Event Log)
- WFP Filter and Provider Changed (Windows Event Log)
- Windows - Service Stop (PowerShell)
- Windows - Service Stop (Windows Event Log)
- Windows Defender Disabled Detection (EDR)
- Windows Defender Disabled Detection (PowerShell)
- Windows Defender Disabled Detection (Sysmon)
- Windows Defender Disabled Detection (Windows Event Log)
- Windows Firewall Disabled (PowerShell)
- Windows Firewall Disabled (Sysmon)
- Windows Firewall Disabled (Windows Event Log)
- Windows Firewall Rule Creation (PowerShell)
- Windows Firewall Rule Creation (Windows Event Log)
Kusto 12 rules
- Detect Windows Allow Firewall Rule Addition/Modification
- Detect Windows Update Disabled from Registry
- Dev-0270 Malicious Powershell usage
- Disable or Modify Windows Defender
- Disabling Security Services via Registry
- Doppelpaymer Stop Services
- Imminent Ransomware
- MosaicLoader
- Scheduled Task Hide
- Security Service Registry ACL Modification
- Starting or Stopping HealthService to Avoid Detection
- Stopping multiple processes using taskkill