T1562: Impair Defenses

T1562 Impair Defenses sits within the Defense Evasion tactic and was the single most prevalent technique observed in malware campaigns during 2025, according to the Picus Red Report. In the 2026 Red Report, it holds at Rank #8 with 14.18% prevalence across over one million analyzed malware samples. The technique's consistency in the top 10 year over year — Rank #3 in 2024, Rank #5 in 2025, Rank #8 in 2026 — confirms that blinding the target is not a situational choice but a standard operating procedure for modern adversaries.

What makes T1562 particularly dangerous is that it targets the very tools organizations rely on to detect intrusions. When an adversary successfully impairs defenses, the victim loses visibility into everything that happens next — credential dumping, lateral movement, data exfiltration, and ransomware deployment all proceed without generating the alerts, logs, or telemetry that would normally trigger an investigation. The attack chain goes dark.

How Defense Impairment Works

Adversaries impair defenses at three layers: preventive controls (firewalls, antivirus, IPS), detective controls (EDR, SIEM, IDS), and supportive mechanisms (event logging, audit systems, telemetry pipelines). The objective at each layer is the same — create a blind spot where malicious activity can proceed without detection or interruption.

The impairment typically occurs after initial access and privilege escalation, but before the adversary's primary objective (data theft, ransomware deployment, espionage). The sequence is predictable: gain administrative or SYSTEM-level access, enumerate installed security products, then disable, modify, or evade each one using the appropriate sub-technique. The specific method depends on what security tools are present and what level of access the adversary has achieved.

At the user-mode level, adversaries can terminate security processes, modify registry keys that control service startup, delete or corrupt configuration files, or use legitimate system utilities to disable services. At the kernel level — which is where the most sophisticated impairment occurs — adversaries load vulnerable drivers to gain ring-0 access and terminate protected processes that cannot be killed from user mode. Cloud environments introduce additional vectors: adversaries can disable cloud-native logging services like AWS CloudTrail, Azure Activity Log, or GCP Audit Logs, eliminating the audit trail that defenders need for incident response.

Sub-Techniques

T1562.001 — Disable or Modify Tools

The broadest and most commonly observed sub-technique. Adversaries kill security software processes or services, modify registry keys so tools fail to start, delete configuration files, or use other methods to interfere with security tool operation. Common targets include Windows Defender, CrowdStrike Falcon, Cortex XDR, Sophos, Symantec Endpoint Protection, and SentinelOne. Methods range from simple taskkill /f /im commands against known process names to sophisticated BYOVD attacks that terminate protected processes from kernel space. The Windows Time Travel Debugging (TTD) monitor driver has been observed being used to initiate a debugging session against an EDR process, rendering it non-functional by hooking the debugger into the EDR and automatically suspending all child processes. A newer user-mode technique called EDR-Freeze exploits the MiniDumpWriteDump function in Windows Error Reporting to suspend all threads in a target security process during a dump operation, effectively hibernating EDR agents without needing kernel access.

T1562.002 — Disable Windows Event Logging

Adversaries disable Windows event logging to eliminate the forensic trail. Methods include stopping the Windows Event Log service (sc config eventlog start=disabled), using auditpol to clear audit policies (auditpol /clear /y), using wevtutil to disable specific log channels, modifying registry keys under HKLM\SYSTEM\CurrentControlSet\Services\EventLog, and using tools like Phant0m that kill Event Log service threads without terminating the service process itself. Disabling IIS HTTP logging has been observed in campaigns by Threat Group-3390 (Bronze Union). By eliminating event logs, adversaries can execute commands, create accounts, move laterally, and exfiltrate data without leaving the standard Windows audit trail that security teams rely on for detection and investigation.

T1562.003 — Impair Command History Logging

Adversaries disable or manipulate command history to prevent recording of their terminal activity. On Linux, this includes unsetting the HISTFILE environment variable, setting HISTSIZE=0, or redirecting history to /dev/null. On Windows, adversaries may delete or modify the PowerShell PSReadLine console history file at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. On macOS, the zsh_history or bash_history files serve the same purpose and are targeted similarly.

T1562.004 — Disable or Modify System Firewall

Adversaries modify firewall rules to open network paths for C2 communication, lateral movement, or data exfiltration. On Windows, this commonly involves netsh advfirewall set allprofiles state off or adding specific allow rules for attacker tools. On Linux, adversaries may flush iptables rules (iptables -F) or modify nftables rulesets. In cloud environments, adversaries modify security group rules, network ACLs, or Azure Network Security Group configurations to permit traffic that would normally be blocked.

T1562.006 — Indicator Blocking

Adversaries block security indicators or events from being gathered by tampering with the collection mechanism itself. A primary target is Event Tracing for Windows (ETW), which many EDR products depend on for real-time telemetry. Adversaries can patch ETW functions in memory (particularly NtTraceEvent in ntdll.dll) to prevent events from being generated. On ESXi hypervisors, adversaries have been observed redirecting or disabling syslog forwarding to prevent host activity from reaching a SIEM. The Chinese APT group UNC3886 deployed custom VIB packages on ESXi hosts that included malware capable of disabling logging and intercepting administrative commands.

T1562.007 — Disable or Modify Cloud Firewall

Adversaries with cloud administrative access modify or disable cloud-native firewall controls including AWS Security Groups, Azure Network Security Groups, and GCP VPC Firewall Rules. This sub-technique is distinct from T1562.004 because it targets cloud control-plane configurations rather than OS-level firewalls. Adversaries may also disable AWS WAF rules, Azure DDoS Protection policies, or cloud-native IDS/IPS services.

T1562.008 — Disable or Modify Cloud Logs

Adversaries disable cloud logging services to eliminate the audit trail in cloud environments. Targets include AWS CloudTrail, Azure Monitor Activity Log, GCP Cloud Audit Logs, and Kubernetes audit logging. Disabling CloudTrail in particular is a well-documented technique because it removes visibility into all API calls within an AWS account, making it impossible to trace adversary actions through the cloud control plane. Adversaries with sufficient IAM privileges can stop CloudTrail logging, delete trails, or modify trail configurations to exclude specific event types.

T1562.009 — Safe Mode Boot

Adversaries reboot systems into Windows Safe Mode, which starts the operating system with a minimal set of drivers and services. Third-party security software — including EDR agents — typically does not start in Safe Mode. Ransomware groups including Snatch, AvosLocker, RansomHub, Qilin, and the Embargo group have used this technique to encrypt files while EDR protection is inactive. The attacker configures the system to boot into Safe Mode with networking (to maintain remote access), reboots, deploys the ransomware payload, and then restores normal boot configuration.

T1562.010 — Downgrade Attack

Adversaries downgrade security tool versions or configurations to weaker states. This includes forcing PowerShell to run in version 2.0 (which lacks Script Block Logging and AMSI integration), downgrading TLS/SSL to versions with known vulnerabilities, or reverting Group Policy settings to less restrictive configurations.

T1562.011 — Spoof Security Alerting

Adversaries generate fake security alerts or modify alert content to misdirect security teams. This can include injecting false positive alerts to create alert fatigue, modifying alert severity levels, or spoofing the source of security notifications. The Black Basta ransomware group has been linked to custom EDR evasion tools that spoof security alerting to mask their operations.

BYOVD: The Dominant EDR Killer

Bring Your Own Vulnerable Driver (BYOVD) has become the single most effective and widely used method for disabling endpoint security in 2025-2026. The technique works because Windows allows legitimately signed kernel drivers to load and execute with ring-0 (kernel-level) privileges. If that driver contains a vulnerability — such as failing to validate permissions before executing commands — an attacker can exploit it to terminate any process on the system, including protected EDR processes that cannot be killed from user mode.

The attack sequence is consistent: the adversary drops a signed but vulnerable .sys driver file onto the target system, loads it as a kernel service, then issues crafted IOCTL (Input/Output Control) requests to the driver that terminate security processes. The malware typically runs in a tight loop, continuously polling for known security processes and killing them immediately when they appear or attempt to restart. Hundreds of individual processes — from antivirus engines to EDR agents — can be terminated in seconds.

Well-known BYOVD toolkits and campaigns include AuKill (abusing an older Process Explorer driver), Terminator (abusing the Zemana anti-malware driver), Backstab (targeting multiple EDR vendors), and the TrueSight driver campaign that deployed over 2,500 driver variants between mid-2024 and early 2025. In February 2026, a Huntress investigation documented attackers using a revoked EnCase forensic driver to terminate security processes from kernel mode, demonstrating that even drivers with expired or revoked certificates can still be loaded on systems without proper driver blocklist enforcement.

Real-World Case Studies

Reynolds Ransomware — BYOVD Embedded in the Payload (February 2026)

The Reynolds ransomware campaign, analyzed by Broadcom/Symantec in early 2026, represented a significant evolution in defense impairment tradecraft. Rather than deploying a separate EDR-killing tool before the ransomware, Reynolds bundled the vulnerable NsecSoft NSecKrnl driver directly within the ransomware payload. The NSecKrnl driver (CVE-2025-68947) fails to verify user permissions before executing commands, allowing a local authenticated attacker to terminate processes owned by other users — including SYSTEM and Protected Processes — through crafted IOCTL requests. Reynolds targeted processes from Avast, CrowdStrike Falcon, Cortex XDR, Sophos, HitmanPro.Alert, and Symantec Endpoint Protection. Investigators also discovered a suspicious side-loaded loader on the target network weeks before the ransomware deployment and the GotoHTTP remote access tool installed the day after encryption, suggesting extended dwell time and continued post-attack access.

Interlock Ransomware — Zero-Day Gaming Driver (2025-2026)

The Interlock ransomware group targeted UK and US organizations, particularly in the education sector, using a zero-day vulnerability in the GameDriverx64.sys gaming anti-cheat driver (CVE-2025-61155) for BYOVD-based EDR disablement. Initial access originated from a MintLoader infection, followed by deployment of the NodeSnake/Interlock RAT for data theft. The exploitation of a gaming anti-cheat driver highlights how adversaries are expanding their search for vulnerable signed drivers beyond traditional IT and security tools into the gaming ecosystem, where drivers often have elevated kernel permissions by design.

Akira Ransomware — Pivoting to Unmonitored Devices (2025)

When EDR quarantined Akira's initial payload on a Windows endpoint, the attackers pivoted to an unmonitored Linux-based webcam on the same network. From the webcam — a device with no EDR agent — they mounted SMB shares and encrypted the network. This case demonstrates a lateral approach to defense impairment: rather than disabling the security tool, the adversary simply moved operations to a device where no security tool exists. The attack succeeded because IoT devices on the network were not covered by endpoint security, creating an unmonitored blind spot that the attackers exploited to circumvent rather than disable defenses.

UNC3886 — ESXi Hypervisor Logging Subversion

The Chinese espionage group UNC3886 targeted VMware ESXi hypervisors with custom malware delivered through malicious VIB (vSphere Installation Bundle) packages. The malware disabled syslog forwarding from ESXi hosts to the organization's SIEM, eliminated the hypervisor audit trail, and intercepted administrative commands. By operating at the hypervisor layer — below the operating system where EDR agents run — UNC3886 achieved persistent access that was invisible to all endpoint-level security controls. This represents defense impairment at the infrastructure layer, a level below where traditional security monitoring operates.

BlackByte Ransomware — Systematic Multi-Driver BYOVD

BlackByte developed a systematic approach to defense impairment, deploying multiple vulnerable drivers as part of its standard BYOVD chain. The group's custom tool Exbyte handled data exfiltration while a separate component loaded vulnerable drivers to terminate EDR processes. BlackByte's approach was notable for its methodical enumeration of installed security products followed by targeted termination of each one, combined with custom tools tied to FIN7 threat actor infrastructure that spoofed security alerting (T1562.011) to mask ongoing operations.

Detection Strategies

Detecting T1562 is inherently paradoxical: the technique is specifically designed to disable the tools you use for detection. This means detection must come from layers the adversary has not yet impaired, and alerts must fire on the impairment itself rather than on the activity that follows.

Detection Layer	What to Monitor	Key Indicators
Driver Load Events	Sysmon Event ID 6, Code Integrity logs	Unexpected .sys files in System32\drivers or user-writable directories, drivers matching known vulnerable driver hashes, new kernel driver services created via sc.exe
Security Service Status	Windows Service Control Manager (Event ID 7045, 7036)	Security services stopping unexpectedly, new services of type "kernel driver" created, service startup type changed to disabled
Process Termination	Sysmon Event ID 5, EDR telemetry	Security tool processes terminating without administrative action, rapid sequential termination of multiple security processes, taskkill targeting known security process names
Audit Policy Changes	Windows Security Event ID 4719	Audit policy modifications via auditpol, disabling of Account Logon or Logon/Logoff auditing, clearing of all audit policies
Event Log Manipulation	Event ID 1102 (Security log cleared), Event ID 104 (System log cleared)	Log channels disabled via wevtutil, Event Log service stopped or disabled, PowerShell history files deleted
Firewall Changes	Firewall configuration logs, Group Policy changes	netsh advfirewall commands disabling profiles, iptables -F on Linux, security group modifications in cloud environments
Cloud Logging Status	CloudTrail status events, Azure Monitor alerts	CloudTrail trails stopped or deleted, Azure Activity Log diagnostic settings modified, GCP audit log sinks removed
Telemetry Gaps	SIEM heartbeat monitoring, agent health dashboards	Absence of expected log events (log silence), EDR agents going offline without administrative action, heartbeat failures from previously healthy endpoints

SIEM Detection Queries

BYOVD driver load detection:

| Detect suspicious kernel driver installation from non-standard paths
index=sysmon EventCode=6
| search NOT ImageLoaded IN ("C:\\Windows\\System32\\drivers\\*", "C:\\Windows\\SysWOW64\\*")
| eval driver_path=ImageLoaded
| stats count BY Computer driver_path Hashes SignatureStatus
| where SignatureStatus!="Valid" OR match(driver_path, "(?i)(temp|appdata|programdata|users|downloads)")
| sort - count

Security service termination detection:

| Detect security processes being terminated or services disabled
index=sysmon EventCode=1
| search (Image="*\\taskkill.exe" AND CommandLine IN ("*MsMpEng*", "*CrowdStrike*",
    "*CSFalcon*", "*Sophos*", "*Symantec*", "*SentinelOne*", "*Cortex*"))
  OR (Image="*\\sc.exe" AND CommandLine="*config*start=disabled*")
  OR (Image="*\\net.exe" AND CommandLine="*stop*" AND CommandLine IN (
    "*windefend*", "*MBAMService*", "*Sense*", "*eventlog*"))
| stats count BY Computer User Image CommandLine
| sort - count

Windows event log manipulation detection:

| Detect attempts to disable event logging or clear audit policies
index=windows (EventCode=1102 OR EventCode=104 OR EventCode=4719)
  OR (source="WinEventLog:Security" EventCode=4688
      (NewProcessName="*auditpol.exe" CommandLine IN ("*clear*", "*remove*", "*disable*"))
      OR (NewProcessName="*wevtutil.exe" CommandLine="*sl*"))
| eval action=case(EventCode=1102, "Security log cleared",
    EventCode=104, "System log cleared",
    EventCode=4719, "Audit policy changed",
    1=1, "Logging manipulation command")
| stats count BY Computer User action
| sort - count

Known Threat Actors

Actor	Origin	Context
Reynolds Ransomware	Cybercrime	Embedded BYOVD (NSecKrnl driver, CVE-2025-68947) directly in ransomware payload to terminate EDR from CrowdStrike, Sophos, Symantec, and Cortex XDR
BlackByte	Cybercrime	Systematic multi-driver BYOVD chain with custom Exbyte exfiltration tool and FIN7-linked EDR evasion tools
Interlock	Cybercrime	Zero-day exploitation of GameDriverx64.sys gaming anti-cheat driver (CVE-2025-61155) for BYOVD EDR disablement
LockBit	Cybercrime	Consistent use of BYOVD, Safe Mode boot, and security tool termination across multiple LockBit versions through 2025
Akira	Cybercrime	Pivoted to unmonitored IoT devices (network webcam) when EDR quarantined initial payload, encrypting via SMB from an agentless device
RansomHub	Cybercrime	Safe Mode boot for EDR bypass combined with BYOVD techniques; used TDSSKiller and other tools to disable security products
UNC3886	China	Custom VIB packages on ESXi hypervisors that disabled syslog forwarding and intercepted administrative commands at the infrastructure layer
Volt Typhoon	China	Living-off-the-land techniques to disable security logging on network infrastructure devices during critical infrastructure pre-positioning
Cadet Blizzard	Russia	Disabled Windows Defender and security tools as part of destructive operations against Ukrainian targets
APT41	China	Disabled ETW tracing and manipulated event logs to maintain long-term espionage access in targeted organizations

Defensive Recommendations

1. Enable and enforce the Microsoft Vulnerable Driver Blocklist: The blocklist is enabled by default on Windows 11 (2022 update and later) under HVCI/Smart App Control/S Mode, and is updated with each Windows release. Ensure it is actively enforced across all endpoints. For broader coverage, deploy Windows Defender Application Control (WDAC) policies or App Control for Business to restrict kernel driver loading to an explicit allowlist. Enable the ASR rule "Block abuse of exploited vulnerable signed drivers" (GUID: 56a863a9-875e-4185-98a7-b882c64b5ce5).
2. Enable EDR tamper protection: Ensure tamper protection is active on all EDR agents. This prevents adversaries from disabling or uninstalling the agent using standard administrative commands. Verify that tamper protection cannot be disabled without cloud console authorization, not just local administrator rights.
3. Monitor for driver load events from non-standard paths: Deploy Sysmon Event ID 6 monitoring and Code Integrity logging. Alert on any kernel driver loaded from user-writable directories (ProgramData, Users, Temp, Downloads). Maintain a hash-based blocklist of known vulnerable drivers and alert on matches. Investigate any new kernel driver service created via sc.exe create type=kernel.
4. Implement off-host log aggregation: Forward all critical logs (Windows Security, Sysmon, PowerShell, firewall, application) to a centralized SIEM in near-real-time. If an adversary disables local logging, the events generated before the disablement — including the disablement itself — will already be preserved externally. This is the single most important control against event log manipulation.
5. Deploy agent health and heartbeat monitoring: Configure the SIEM or security operations platform to track endpoint agent status. Alert when an EDR agent goes offline, stops reporting, or when expected log volume from a source drops below baseline. Absence of events is an indicator, not a non-event.
6. Restrict administrative privileges: Defense impairment requires elevated access. Implement least-privilege access, enforce just-in-time (JIT) administration, and use Privileged Access Workstations (PAWs) for administrative tasks. Limit the number of accounts with local administrator, Domain Admin, or cloud IAM administrator privileges. The fewer accounts that can install drivers, stop services, or modify audit policies, the smaller the attack surface for T1562.
7. Protect cloud logging configurations: In AWS, enable CloudTrail with Organization-level trails and use Service Control Policies (SCPs) to prevent member accounts from disabling CloudTrail. In Azure, use resource locks and Azure Policy to prevent modification of diagnostic settings. In GCP, use Organization Policy constraints to enforce audit logging. Monitor for IAM actions that modify logging configurations and alert immediately.
8. Address the IoT blind spot: The Akira webcam case demonstrates that defense impairment includes operating from devices where defenses do not exist. Segment IoT and OT devices onto isolated network segments. Deploy network-based detection (NDR) that provides visibility into traffic from agentless devices. Ensure that IoT devices cannot mount file shares or access production systems without explicit authorization and monitoring.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1562
Technique Name	Impair Defenses
Tactics	Defense Evasion
Platforms	Windows, Linux, macOS, Containers, ESXi, IaaS, Identity Provider, Network Devices, Office Suite
Sub-Techniques	T1562.001 Disable or Modify Tools, .002 Disable Windows Event Logging, .003 Impair Command History Logging, .004 Disable or Modify System Firewall, .006 Indicator Blocking, .007 Disable or Modify Cloud Firewall, .008 Disable or Modify Cloud Logs, .009 Safe Mode Boot, .010 Downgrade Attack, .011 Spoof Security Alerting, .012 Disable or Modify Linux Audit System, .013 Disable or Modify Network Firewall
Defenses Bypassed	Anti-virus, Digital Certificate Validation, File Monitoring, Firewall, Host Forensic Analysis, Host Intrusion Prevention Systems, Log Analysis, Signature-based Detection
Data Sources	Command (Execution), Process (Creation, Termination), Service (Service Metadata), Windows Registry (Key Modification), Sensor Health (Host Status), Cloud Service (Modification, Disable), Driver (Load)
MITRE Reference	attack.mitre.org/techniques/T1562

Sources and References

• MITRE ATT&CK — T1562 Impair Defenses: attack.mitre.org
• Picus Security — Red Report 2026 (T1562 at Rank #8, 14.18%): picussecurity.com
• Broadcom/Symantec — Reynolds Ransomware BYOVD Analysis: security.com
• Threat Intel Report — BYOVD in 2026: The Signed-Driver Loophole: threatintelreport.com
• Threat Intel Report — EDR Killers in 2026: threatintelreport.com
• Vectra AI — EDR Evasion Techniques and Defense: vectra.ai
• Mandiant — UNC3886 ESXi Espionage Operations: cloud.google.com
• The Hacker News — Reynolds Ransomware Embeds BYOVD Driver: thehackernews.com
• Picus Security — T1562 Impair Defenses Technical Analysis: picussecurity.com