MITRE ATT&CK · TA0005 Defense Evasion

T1562 Impair Defenses

Detection coverage in DCV across AWS, Azure and GCP for Impair Defenses, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.

01 What is T1562?

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.

Platforms: Windows, IaaS, Linux, macOS, Containers, Network Devices, Identity Provider, Office Suite, ESXi.

02 Coverage in DCV

DCV maps 18 detections across 3 cloud providers to T1562. Coverage by source:

Source Cloud Findings mapped Avg confidence
AWS Security Hub AWS 9 0.86
AWS GuardDuty AWS 6 0.86
GCP Chronicle GCP 1 0.90
GCP Security Command Center GCP 1 0.90
Microsoft Defender for Cloud Azure 1 0.85
03 Detect with CloudSigma

CloudSigma ships 3 production-ready Sigma rules that detect T1562 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.

Example: AWS Impair Defenses - Logging and Security Service Disruption

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:60ca72d98592258d manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma 2026-02-06 
title: AWS Impair Defenses - Logging and Security Service Disruption
id: f9c5d3a4-6b7c-4e8f-1a2b-3c4d5e6f7a8b
status: experimental
description: >
    Detects attempts to disable or delete AWS CloudTrail logging, GuardDuty, or
    related security services. Adversaries impair defenses to avoid detection
    of their activities within the cloud environment.
author: CloudSigma
date: 2026-02-06
references:
    - https://attack.mitre.org/techniques/T1562/
    - https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html
tags:
    - attack.defense-evasion
    - attack.t1562
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_cloudtrail:
        eventSource: 'cloudtrail.amazonaws.com'
        eventName:
            - 'StopLogging'
            - 'DeleteTrail'
            - 'UpdateTrail'
    selection_guardduty:
        eventSource: 'guardduty.amazonaws.com'
        eventName:
            - 'DeleteDetector'
            - 'DisableOrganizationAdminAccount'
    condition: 1 of selection_*
falsepositives:
    - Authorized security team reconfiguring logging infrastructure
    - Trail migration or consolidation activities
level: high
04 Related techniques
← Back to Defense Evasion
Sources
  • MITRE ATT&CK, https://attack.mitre.org/techniques/T1562/
  • MITRE Tactic TA0005 Defense Evasion, https://attack.mitre.org/tactics/TA0005/
  • MITRE Center for Threat-Informed Defense, Security Stack Mappings (https://center-for-threat-informed-defense.github.io/security-stack-mappings/)
Last verified: 2026-04-24