1. Home
  2. Detection Strategies
  3. Detection Strategy for Impair Defenses Indicator Blocking

Detection Strategy for Impair Defenses Indicator Blocking

Technique Detected:  Indicator Blocking | T1562.006

ID: DET0239
Domains: Enterprise
Analytics: AN0667, AN0668, AN0669, AN0670
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0667

Correlates registry modifications to EventLog or WMI Autologger keys, suspicious use of Set-EtwTraceProvider, and Sysmon configuration changes. Defender sees interruption or redirection of ETW and log event collection.

Log Sources
Data Component Name Channel
Host Status (DC0018) WinEventLog:Sysmon EventCode=16
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Mutable Elements
Field Description
MonitoredETWProviders List of ETW providers to baseline and monitor for unexpected removal.
AuthorizedConfigChanges Whitelist of expected admin actions modifying Sysmon or ETW configurations.

AN0668

Detects disabling or reconfiguration of syslog or rsyslog services. Monitors sudden stops in logging daemons and suspicious execution of kill or service stop commands targeting syslog processes.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog
Process Termination (DC0033) linux:osquery unexpected termination of syslog or rsyslog processes
Mutable Elements
Field Description
SyslogServiceName Service name for syslog daemon, which can differ across distributions.

AN0669

Detection of tampering with Apple's Unified Logging framework or modification of system log forwarding settings. Defender observes execution of logd-related commands or defaults write to logging preferences.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog defaults write com.apple.system.logging or logd manipulation
Mutable Elements
Field Description
AllowedLogConfigs Baseline of approved logging preference modifications to reduce noise.

AN0670

Detection of syslog configuration tampering using esxcli system syslog config set or reload. Defender correlates command execution with absence of syslog forwarding activity.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:hostd esxcli system syslog config set or reload
Mutable Elements
Field Description
SyslogServerBaseline Expected syslog destination servers for ESXi hosts.