Last reviewed:
T1685 covers security-tool disable or modification, often the first move of ransomware operators after initial foothold. ATT&CK v19 promoted what was T1562.001 to this top-level technique under the new Defense Impairment tactic. DCV treats Azure Defender's "Endpoint protection should be installed" as the preventive control that makes T1685 exploitation harder to begin with, paired with endpoint health monitoring to catch rollback. CIS rules cis.3.7 and cis.3.9 cover the AWS equivalent via GuardDuty finding-archival prevention and WAF state monitoring. Tool-disable detection should be among your highest-priority alerts.
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.
In addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).
More advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization’s ability to detect and respond to malicious activity.
Platforms: Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows.
DCV maps 60 detections across 3 cloud providers to T1685. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 31 | 0.62 |
| AWS Security Hub | AWS | 11 | 0.86 |
| AWS GuardDuty | AWS | 6 | 0.86 |
| Azure Regulatory Compliance | Azure | 5 | 0.93 |
| Microsoft Defender for Cloud | Azure | 3 | 0.90 |
| Azure Policy | Azure | 2 | 0.95 |
| GCP Chronicle | GCP | 1 | 0.90 |
| GCP Security Command Center | GCP | 1 | 0.90 |
CloudSigma ships 60 production-ready Sigma rules that detect T1685 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
title: Azure Security Center Configuration Modification
id: 9bd98b14-1072-44b8-afe4-ff2d7b84c313
status: test
description: 'Detects deletion of security contacts and modification of auto-provisioning settings in Azure Security Center,
which may indicate an adversary disabling security monitoring tools.
'
author: CloudSigma
date: 2026-02-06
references:
- https://attack.mitre.org/techniques/T1685/
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- Microsoft.Security/securityContacts/delete
- Microsoft.Security/autoProvisioningSettings/write
condition: selection
falsepositives:
- Administrators reconfiguring security contact settings
- Planned auto-provisioning changes during infrastructure migration
level: high
T1685 covers security-tool disable or modification, often the first move of ransomware operators after initial foothold. ATT&CK v19 promoted what was T1562.001 to this top-level technique under the new Defense Impairment tactic. DCV treats Azure Defender's "Endpoint protection should be installed" as the preventive control that makes T1685 exploitation harder to begin with, paired with endpoint health monitoring to catch rollback. CIS rules cis.3.7 and cis.3.9 cover the AWS equivalent via GuardDuty finding-archival prevention and WAF state monitoring. Tool-disable detection should be among your highest-priority alerts.
DCV maps 60 cloud-native detections to T1685 across 3 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Security Hub, Azure Policy, Azure Regulatory Compliance, GCP Chronicle, GCP Security Command Center and Microsoft Defender for Cloud.
T1685 is part of MITRE ATT&CK TA0112 Defense Impairment: How adversaries disable or degrade the defences that would have spotted them.
CloudSigma ships 3 validated Sigma rules for T1685 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.