Impair Defenses (T1562) is a MITRE ATT&CK technique in the Defense Evasion tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. Disabling or modifying security tools is a critical step in many attack chains because it reduces the attacker's exposure to detection and response. Common techniques include disabling Windows Defender and other antivirus products, modifying firewall rules, disabling audit logging, blocking security tool updates, and terminating endpoint security agent processes. In ransomware operations, disabling security tooling and backup services is typically performed immediately before deploying the ransomware payload to ensure maximum encryption of files before defenders can respond. The detection of defense impairment actions should be treated as a high-priority alert requiring immediate investigation.
“Impair Defenses is documented as technique T1562 in the MITRE ATT&CK knowledge base under the Defense Evasion tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Impair Defenses activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor Windows Defender configuration changes including real-time protection disabling, exclusion additions, and scan schedule modifications, alerting on changes made outside of authorized IT administration processes.
Alert on processes terminating security tool processes including antivirus, EDR agents, and SIEM forwarders, particularly when the termination is performed using taskkill, process API calls, or by stopping associated services.
Detect Windows Firewall rule modifications adding inbound allow rules or disabling the firewall entirely, as attackers frequently modify firewall configurations to allow their tools to communicate or to enable lateral movement.
Monitor for registry modifications that disable security features including Windows Event Log forwarding, PowerShell ScriptBlock logging, and Protected Users security settings that limit credential caching.
Implement out-of-band health monitoring for security tools that alerts on agents going offline unexpectedly, as agent silence may indicate successful defense impairment even when the impairment action itself was not directly observed.
These realistic alert examples show what Impair Defenses looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
PowerShell command Set-MpPreference -DisableRealtimeMonitoring $true executed on 12 workstations within a 3-minute window. Simultaneous disabling of real-time protection across multiple systems is characteristic of pre-ransomware preparation scripts run from a compromised administrator account. Following the disablement, network traffic from these workstations shows connections to known ransomware distribution infrastructure.
Process monitoring detected taskkill.exe terminating the endpoint security agent service on server DB-PROD-07. The termination was performed by a script running under SYSTEM privileges obtained through a compromised service account. Loss of EDR visibility on a production database server is a critical security event requiring immediate out-of-band verification of server integrity and assessment of attacker activity on the system.
Log volume monitoring detected sudden cessation of Windows Event Log forwarding from 8 servers. Registry analysis shows the Windows Event Log subscription service was disabled on these hosts. The hosts stopped forwarding logs at 01:23 AM, 4 minutes after a suspicious authentication event. The gap in log collection creates a blind spot in security monitoring during the period most likely to contain evidence of attacker actions.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Impair Defenses. Build detection skills with zero consequences — free forever.
A false positive is a security alert that fires on legitimate, benign activity, incorrectly classifying safe behavior as…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossaryLog management is the process of collecting, normalizing, storing, retaining, and analyzing log data from across the IT …
Read more Career PathDetection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more