T1562 - Impair Defenses
Tactics:
Defense Evasion
Defense Evasion
Platforms:
Windows IaaS Linux macOS +5
Windows IaaS Linux macOS +5
Detection:
Not specified
Not specified
Description:
Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
Sub-techniques (12)
Used by Actors (2)
Malware (3)
Metadata
| MITRE ID: | T1562 |
| STIX ID: | attack-pattern--3d333250-30e4-... |
| Platforms: | Windows, IaaS, Linux, macOS, Containers, Network Devices, Identity Provider, Office Suite, ESXi |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 04:00 |