Detection coverage in DCV across AWS, Azure and GCP for Impair Defenses: Disable or Modify Tools, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional. By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to Indicator Blocking, adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection. For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via File/Path Exclusions.
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools. For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. Exploitation for Privilege Escalation), which may lead to bypassing anti-tampering features.
Platforms: Containers, IaaS, Linux, macOS, Network Devices, Windows.
DCV maps 45 detections across 2 cloud providers to T1562.001. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 31 | 0.62 |
| Azure Regulatory Compliance | Azure | 5 | 0.93 |
| AWS Security Hub | AWS | 4 | 0.88 |
| Microsoft Defender for Cloud | Azure | 3 | 0.90 |
| Azure Policy | Azure | 2 | 0.95 |
CloudSigma ships 3 production-ready Sigma rules that detect T1562.001 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.
title: AWS Security Tool Disabled or Modified via GuardDuty
id: c62250e7-7aa8-4522-b87c-2dfbe7030d8e
status: experimental
description: 'Detects deletion or disabling of AWS GuardDuty detectors and stopping of member monitoring, which may indicate
an adversary attempting to disable security monitoring tools to avoid detection.
'
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1562/001/
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: guardduty.amazonaws.com
eventName:
- DeleteDetector
- UpdateDetector
- StopMonitoringMembers
condition: selection
falsepositives:
- GuardDuty detector configuration updates by a security administrator
- Planned decommissioning of GuardDuty in a specific region
level: high