Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | October 16, 2020 | 4 MIN READ

LAST UPDATED ON MARCH 13, 2025

MITRE ATT&CK T1562 Impair Defenses

Defensive security controls are the backbone of organizations' cybersecurity strategy, but adversaries are constantly finding ways to disable or evade them. Cyber threat actors focus on weakening security controls to avoid detection and maximize the success of their attacks by disabling antivirus software, modifying firewall rules, and tampering with logging mechanisms. 

In this blog post, we explain the T1562 Impair Defenses technique of the MITRE ATT&CK® framework and explore how adversaries impair defenses with real-world attack examples in detail.

rr25-mockup1

 

  


The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques
Used by Adversaries

GET THE REPORT


What Are Defensive Security Controls?

Adversaries deliberately compromise or disrupt defensive mechanisms that organizations rely on to protect their environment to execute their malicious actions without being interrupted or detected. As a defense evasion technique, T1562 Impair Defenses was the most prevalent technique employed in malware campaigns in 2025 [1].

In the Impair Defenses technique, adversaries typically exploit weaknesses and vulnerabilities within the victims' infrastructure to undermine their defense designed to prevent unauthorized access, detection, and response. Adversaries meticulously enumerate the target system to identify vulnerabilities, ranging from unpatched software to misconfigurations. Since security appliances are also not immune to exploitation, adversaries disable or manipulate them to create a blindspot in an organization's defenses. This technique poses a significant challenge for defenders, as compromised security tools can inadvertently aid adversaries in concealing their activities and evading detection.

Adversaries use the Impair Defenses technique to compromise different defensive controls, such as preventive defenses, detective capabilities, and supporting mechanisms.

1. Preventative defenses

Preventative security controls are designed to proactively prevent or minimize the impact of potential threats. These controls aim to create barriers and enforce security measures to prevent unauthorized access, mitigate risks, and maintain integrity and confidentiality. Some key preventative defensive controls include firewalls, Intrusion Prevention Systems (IPSs), Antivirus and Anti-Malware Software, and Web Application Firewalls (WAFs). Adversaries employ the T1562 Impair Defenses technique to dismantle or neutralize preventative security controls, enabling them to navigate, persist, and achieve their objectives within target environments.

2. Detection Capabilities

Organizations deploy security controls with detection capabilities to focus on the identification and response to security incidents. Unlike preventative controls, which aim to stop security incidents before they occur, detective controls are designed to detect and alert organizations to the presence of security threats or breaches, allowing for a timely response and mitigation. Some of the common detective security controls include Security Information and Event Management (SIEM), Intrusion Detection Systems (IDSs), and Endpoint Detection and Response (EDRs). Adversaries employ the T1562 Impair Defenses technique to compromise detective security controls and disrupt the incident response processes.

3. Supportive Mechanisms

Supportive mechanisms refer to additional tools, technologies, or processes that complement and reinforce the effectiveness of various security controls. These mechanisms work in tandem with preventive, detective, and other defensive controls to enhance an organization's overall security posture. Some of the well-known supportive mechanisms are:  

  • Logging systems: Windows Event Logs, Syslog, PowerShell PSReadLine, Linux's bash_history, AWS CloudWatch, AWS CloudTrail, Azure Activity Log, GCP Audit Logs, etc.

  • Auditing tools: Linux auditd, Microsoft SQL Server Audit, etc.

Adversaries degrade or block the effectiveness of supportive mechanisms with the T1562 Impair Defenses technique to weaken the target's defenses, making it easier for them to achieve their objectives without detection or effective response.

Adversary Use of Impair Defenses

After gaining initial access, adversaries aim to execute their malicious action without restrictions and stay hidden as long as possible. Also, they aim to remove any trace of compromise to disrupt incident response and malware analysis efforts. To achieve this goal, adversaries use various methods to impair preventive controls, detection capabilities, and supportive mechanisms that enable organizations to maintain their security posture. Impair Defenses technique can be implemented at multiple stages of the attack campaign for various purposes. 

For example, adversaries may disable Windows Defender prior to executing malicious commands. By disabling Windows Defender, adversaries increase the likelihood of successfully executing their malicious payloads on the targeted system. Then, they may tamper with firewall configurations to evade detection and establish communication channels with their C2 server. To remove any traces of compromise, adversaries may delete Windows Event Logs and limit the victim's ability to analyze the attack.

Since organizations have a comprehensive list of security controls to defend themselves, there are numerous attack vectors against these controls utilized by adversaries.

Sub-techniques of T1562 Impair Defenses

Impair Defenses technique consists of several sub-techniques, each targeting different security mechanisms to weaken an organization's defensive posture. Adversaries leverage these methods to disable, modify, or evade security controls, ensuring their activities remain undetected. From disabling antivirus software and modifying firewall rules to manipulating security logs and restricting incident response capabilities, these subtechniques play a crucial role in stealthy cyber intrusions. 

In version 16.1, MITRE ATT&CK Matrix for Enterprise has 11 subtechniques under T1562 Impair Defenses, each with unique characteristics and attack scenarios. For more detailed information, check out the following blogs explaining each subtechnique in great detail.

  • T1562.001 Disable or Modify Tools
  • T1562.002 Disable Windows Event Logging
  • T1562.003 Impair Command History Logging
  • T1562.004 Disable or Modify System Firewall
  • T1562.006 Indicator Blocking
  • T1562.007 Disable or Modify Cloud Firewall
  • T1562.008 Disable or Modify Cloud Logs
  • T1562.009 Safe Mode Boot
  • T1562.010 Downgrade Attack
  • T1562.011 Spoof Security Alerting
  • T1562.012 Disable or Modify Linux Audit System  

Ready to Simulate Real-World Threats From Red Report 2025?

 

References

[1] "Red Report 2025." Available: https://www.picussecurity.com/red-report

Table of Contents

MITRE ATT&CK T1562.003 Impair Defenses: Impair Command History Logging
MITRE ATT&CK MITRE ATT&CK T1562.003 Impair Defenses: Impair Command History Logging
Learn More
impair defenses
MITRE ATT&CK MITRE ATT&CK T1562 Impair Defenses
Learn More