T1687: Exploitation for Defense Impairment

Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disable, or otherwise continue to impair their ability to prevent, detect, or respond to malicious activity. Adversaries may exploit a system or application vulnerability to directly interfere with defensive mechanisms. Exploitation occurs when an adversary takes advantage of a programming error in software, services, or the operating system to execute adversary-controlled code, often with the goal of weakening or disabling protections.

Vulnerabilities may exist in security tools such as antivirus, endpoint detection and response (EDR), firewalls, or other monitoring solutions. Adversaries may use prior reconnaissance or perform discovery activities (e.g., Software Discovery) to identify defensive tools present in an environment and target them for exploitation.

Successful exploitation may allow adversaries to terminate security processes, disable protections, bypass enforcement mechanisms, or reduce the effectiveness of defensive controls. In some cases, vulnerabilities in cloud-based or SaaS infrastructure may also be leveraged to bypass built-in security boundaries or disrupt visibility and enforcement across environments.[1]

EnterpriseT1687TechniqueObject v1.0 Modified May 12, 2026, 15:12 UTC (UTC+00:00)

Exploitation for Defense Impairment matters because it turns the security stack itself into a target. Instead of only evading tools, an adversary may exploit vulnerabilities in antivirus, EDR, firewalls, monitoring solutions, cloud services, SaaS infrastructure, or other defensive components to weaken prevention, detection, or response. For leaders, the decision point is whether security tooling is being treated as critical infrastructure: inventoried, patched, monitored, and included in incident response planning.

Executive priority

Prioritize this as an operational resilience and assurance issue. If defensive controls can be degraded through exploitation, the organization may lose visibility at the moment it most needs evidence for containment, executive decisions, and compliance reporting. Security leaders should ask whether defensive components across Windows, Linux, macOS, IaaS, and SaaS are covered by vulnerability management, whether outages or tampering are detectable, and whether IR playbooks account for compromised or impaired security tools.

Technical view

ATT&CK provides no official detection text for T1687, so SOC and IR teams should validate coverage around the observable outcomes described: security processes terminated, protections disabled, enforcement bypassed, or visibility reduced. Because the technique applies across IaaS, SaaS, Linux, macOS, and Windows, validation should include endpoint, network/security appliance, cloud, and SaaS control planes where defensive tooling operates. The related ATT&CK detection strategy is DET0900, Detection of Defense Impairment, which should be used as relationship-driven context for building or reviewing detections.

Likely telemetry

Security tool health, status, and heartbeat events
Endpoint process and service start/stop events for antivirus, EDR, and monitoring agents
Configuration and policy change logs for defensive controls
Firewall, monitoring, and enforcement component logs
Cloud and SaaS audit logs related to security boundary, visibility, or enforcement changes

Detection direction

Validate that alerts exist for unexpected disabling, degradation, termination, or policy changes affecting defensive tools.
Correlate defensive control impairment with preceding vulnerability exploitation indicators where local telemetry supports it.
Tune detections to distinguish approved maintenance, upgrades, and administrative changes from unexpected impairment.
Review blind spots where security tools may fail silently, lose heartbeat, or stop reporting without generating a high-priority alert.
Use DET0900 as the ATT&CK relationship context for detection engineering, while recognizing the supplied ATT&CK object does not provide a specific detection analytic.

Mitigation priorities

Treat security software, monitoring infrastructure, and cloud/SaaS defensive components as high-priority assets in vulnerability management.
Maintain accurate inventory of defensive tools and where they are deployed across supported platforms.
Patch and harden defensive components promptly, especially tools with prevention, detection, response, enforcement, or visibility roles.
Monitor health and configuration state of security controls independently where possible, so impairment of one tool does not erase evidence.
Include impaired or compromised security tooling scenarios in incident response plans and tabletop exercises.

Analyst notes and limits

The technique is newly represented in the supplied ATT&CK data as version 1.0 and is mapped to the defense-impairment tactic. The official description supports focus on vulnerabilities in security software, infrastructure, defensive components, and cloud/SaaS infrastructure, but it does not provide procedure examples beyond the cited external reference. Local architecture determines which defensive components create the most business risk.

Official ATT&CK detection guidance is not provided for this object. This take does not assert active exploitation, attribution, affected customers, or guaranteed detection coverage. Validation requires local telemetry, asset inventory, vulnerability data, and knowledge of deployed security controls.

Official MITRE ATT&CK definition

Exploitation for Defense Impairment

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0900: Detection of Defense Impairment Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Apr 14, 2026, 22:53 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: ae0849148398ba60...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`ae0849148398…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Salesforce zero-day in facebook phishing attack

Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.
Open source URL
[2]
mitre-attack T1687
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use