Disable or Modify Tools T1685

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

Events covered

42 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 7Image loaded
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 17PipeEvent (Pipe Created)
SysmonEvent ID 18PipeEvent (Pipe Connected)
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4657A registry value was modified.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4673A privileged service was called.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4719System audit policy was changed.
Security-AuditingEvent ID 4720A user account was created.
Security-AuditingEvent ID 4738A user account was changed.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5157The Windows Filtering Platform has blocked a connection.
Security-AuditingEvent ID 5441The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
Security-AuditingEvent ID 5447A Windows Filtering Platform filter has been changed.
Application-ErrorEvent ID 1000Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name.
Application-PopupEvent ID 26Application popup: Caption : Message.
EventlogEvent ID 104The LogFileCleared.Channel log file was cleared.
EventlogEvent ID 1100The event logging service has shut down.
EventlogEvent ID 1102The audit log was cleared.
IIS-ConfigurationEvent ID 29Changes to 'Configuration' at 'ConfigPath' have successfully been committed.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-DefenderEvent ID 1009ProductName has restored an item from quarantine.
Windows-DefenderEvent ID 1119ProductName has encountered a critical error when taking action on malware or other potentially unwanted software.
Windows-DefenderEvent ID 3002ProductName Real-Time Protection feature has encountered an error and failed.
Windows-DefenderEvent ID 3007ProductName Real-time Protection feature has restarted.
Windows-DefenderEvent ID 5001Product Name Real-time Protection scanning for malware and other potentially unwanted software was disabled.
Windows-DefenderEvent ID 5007Product Name Configuration has changed.
Windows-DefenderEvent ID 5010ProductName scanning for spyware and other potentially unwanted software is disabled.
Windows-DefenderEvent ID 5012ProductName scanning for viruses is disabled.
Windows-DefenderEvent ID 5013Tamper Protection Changed Type a change to Product Name.
Windows-DefenderEvent ID 5101{Product Name} grace period has expired.
PowerShellEvent ID 600Event ID 600
Service-Control-ManagerEvent ID 7036The Microsoft Software Shadow Copy Provider service entered the stopped state.
Service-Control-ManagerEvent ID 7040The start type of the msdsm service was changed from boot start to demand start.
Windows-Error-ReportingEvent ID 1001Fault bucket , type.

Authoring guide

Patterns shared across the 274 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (62 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine92contains 85, in 14, ends_with 3, match 3add , add , delete , /set, delete
Details91eq 74, is_not_null 23, contains 11, in 4, ends_with 10x00000000, 0x00000001, DWORD (0x00000000), DWORD (0x00000001), 0
Image63ends_with 58, contains 8, starts_with 7, eq 5, is_null 1\powershell.exe, \pwsh.exe, \reg.exe, \powershell_ise.exe, :\perflogs\
registry_path56ends_with 34, contains 20, in 3\\microsoft\\windows defender\\spynet, \\policies\\microsoft\\windows defender, *SecurityHealthService*, *WdBoot*, *WdFilter*
OriginalFileName51eq 51powershell.exe, pwsh.dll, reg.exe, auditpol.exe, powershell_ise.exe
TargetObject46contains 26, ends_with 26, eq 4\software\microsoft\windows..., \control\keyboard layouts\, \deviceguard\enablevirtualizationbasedsecurity, \deviceguard\lsacfgflags, \microsoft\windows\currentversion\winevt\channels\
process_name32eq 31, ends_with 2, starts_with 1auditpol.exe, sfc.exe, wevtutil.exe, powershell.exe, powershell_ise.exe
EventID17eq 15, in 24104, 4719, 5136, 7040, 10
registry_value_name17eq 15, in 2DisableAntiSpyware, Start, COMPlus_ETWEnabled, ChannelAccess, CustomSD
ScriptBlockText13contains 12, match 2, in 1 -exclusionextension , -exclusionipaddress , -exclusionpath , -xmlpolicy , #<null>
Channel12eq 12, in 10
eventtype10eq 10
Provider_Name7eq 7Microsoft-Windows-Eventlog, Application Error, Application Popup, Security, Service Control Manager
EventType6eq 6deleted, CreateKey, DeleteValue, modified
CallTrace5contains 3, eq 1, regex_match 1Ente, \dbgcore.dll, \dbghelp.dll, ^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Wi..., dbgcore.dll

Top indicator values (1705 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Detailseq
0x00000000
2143
Detailseq
0x00000001
2063
Detailseq
DWORD (0x00000000)
1840
Detailseq
DWORD (0x00000001)
842
Imageends_with
\powershell.exe
14186
Imageends_with
\pwsh.exe
12172
Imageends_with
\reg.exe
1260
Imageends_with
\powershell_ise.exe
642
Imageends_with
\msmpeng.exe
518
Imageends_with
\wmic.exe
461
OriginalFileNameeq
powershell.exe
14121
OriginalFileNameeq
pwsh.dll
13112
OriginalFileNameeq
reg.exe
1342
OriginalFileNameeq
auditpol.exe
910
OriginalFileNameeq
powershell_ise.exe
551
OriginalFileNameeq
sc.exe
426
OriginalFileNameeq
wmic.exe
461
process_nameeq
auditpol.exe
810
CommandLinecontains
add
511
CommandLinecontains
delete
522
CommandLinecontains
/set
46
CommandLinecontains
add-mppreference
44
CommandLinecontains
disable
47
CommandLinecontains
set-mppreference
44
CommandLinecontains
si
45
CommandLinecontains
add
315
CommandLinecontains
delete
35
CommandLinecontains
0
34
EventIDeq
4104
5268
TargetObjectcontains
\software\microsoft\windows nt\currentversion\schedule\taskcache\tree\
44

Exclusions (167 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
/?
4
Imageends_with
\msmpeng.exe
4
Imageends_with
\tiworker.exe
2
Imagein
*:\\windows\\system32\\*
3
Imagein
*:\\windows\\syswow64\\*
3
Imagein
:\\windows\\winsxs\\*
3
Imagestarts_with
c:\programdata\microsoft\windows defender\platform\
3
Imagestarts_with
c:\program files (x86)\windows defender\
2
Imagestarts_with
c:\program files\windows defender\
2
Imagestarts_with
c:\windows\winsxs\
2
CommandLinein
*/?*
2
Imageeq
c:\windows\servicing\trustedinstaller.exe
2
Imageeq
c:\windows\system32\svchost.exe
2
Imageeq
c:\windows\system32\wevtutil.exe
2
CallTracecontains
microsoft.build.ni.dll
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 167 rules

Splunk 107 rules