MITRE ATT&CK v19: Defense Evasion Is Dead — Meet Stealth and Impair Defenses

In two days, the tactic you’ve been mapping detections to for years disappears. MITRE ATT&CK v19 drops on April 28, 2026, and it’s splitting Defense Evasion (TA0005) into two distinct tactics. Your Sigma rules, SIEM dashboards, and SOAR playbooks that reference TA0005 won’t break — but they’ll now describe a narrower world than they used to.

Here’s what changes, why MITRE made this call, and exactly what you need to do before the weekend.

TL;DR

• ATT&CK v19 releases April 28, 2026 — Defense Evasion (TA0005) is replaced by two new tactics
• Stealth inherits TA0005 and covers hiding malicious activity within legitimate behavior
• Impair Defenses is a new tactic ID covering active sabotage of security controls
• T1562 (Impair Defenses technique) is retired — its sub-techniques are realigned
• Rules referencing TA0005 still fire, but against a narrower scope; you’ll need new coverage for Impair Defenses
• Detecting Impair Defenses requires a fundamentally different approach: monitoring for absence of signals, not just suspicious events

Why Defense Evasion Got Too Big to Stay

Over time, Defense Evasion had grown into a catch-all bucket with over 40 techniques. That sounds like good coverage — but when a single tactic spans everything from obfuscating a PowerShell script to physically killing your EDR agent, something is wrong.

The problem is that these behaviors require completely different responses from defenders:

• An attacker hiding inside a legitimate process (masquerading as svchost.exe) needs a behavioral detection engine looking for anomalies in process trees.
• An attacker disabling Windows Defender before running a payload needs monitoring for registry changes, service stops, and the sudden disappearance of expected telemetry.

Bundling both under “Defense Evasion” made triage harder. A TA0005 alert could mean either. Your analyst had to figure out which. MITRE’s split forces clarity at the taxonomy level.

Stealth (TA0005): The Art of Blending In

Stealth inherits the existing TA0005 ID. If your rules already tag events with tactic: defense-evasion or ta0005, they’ll continue to work after April 28 — now scoped to Stealth behaviors specifically.

What Stealth covers: Techniques where the attacker makes malicious activity indistinguishable from legitimate behavior. The attacker isn’t attacking your security tools — they’re hiding from them.

Key techniques that land under Stealth:

The attacker’s goal: Stay in your environment long enough to accomplish the mission. Don’t trigger alerts. Move slowly, look normal.

Detecting Stealth

Stealth detection is about finding the anomaly within normal-looking activity. The attacker is present in your logs — they’re just disguised.

Detection approaches that work:

• Process anomaly detection: svchost.exe running from a non-system path, unexpected parent-child relationships
• Behavioral baselines: Script execution patterns, network connections from unusual processes
• LOLBIN abuse: System binaries executing with arguments they never use in legitimate operations

Example Sigma rule for masquerading via renamed system binary:

title: Renamed System Binary Execution
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    # OriginalFileName from PE header doesn't match Image path
    OriginalFileName: 'rundll32.exe'
  filter:
    Image|endswith: '\rundll32.exe'
  condition: selection and not filter
tags:
  - attack.stealth          # v19 tactic
  - attack.ta0005           # inherited ID — still valid
  - attack.t1036.003

The key insight: in Stealth, the attack is visible in your logs — you just need the right pattern to surface it.

Impair Defenses: Breaking the Security Stack

Impair Defenses is the new tactic — it gets a fresh tactic ID that MITRE will publish on April 28. This is where the taxonomy fundamentally shifts.

What Impair Defenses covers: Techniques where the attacker actively degrades, disables, or compromises the integrity of security controls. They’re not hiding from your defenses — they’re killing them.

Key techniques that land under Impair Defenses:

The attacker’s goal: Remove visibility before executing the loud part of the operation. BYOVD (Bring Your Own Vulnerable Driver) attacks are the extreme version — load a kernel-level driver to terminate EDR from within.

Detecting Impair Defenses: A Different Problem

This is where most SOCs need to rethink their approach. Stealth detection looks for suspicious signals. Impair Defenses often manifests as the absence of expected signals.

If your EDR agent stops sending heartbeats, that’s not “no event” — that’s a high-priority alert. If Windows Security Event Log is suddenly empty for 10 minutes on a host that normally generates 1,000 events per hour, something killed the logging pipeline.

Detection strategies for Impair Defenses:

1. Heartbeat monitoring: Alert when an endpoint goes silent unexpectedly
2. Log volume baselines: Alert on sudden drops in event rate per host
3. Service integrity checks: Monitor EDR/AV service state changes
4. Registry monitoring: Key Defender/EDR registry paths
5. Privilege escalation to SYSTEM before tool kill: This sequence almost always precedes EDR termination

Example Sigma rule for EDR service termination:

title: Security Tool Service Stopped
status: experimental
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID: 7036
    param1|contains:
      - 'CrowdStrike'
      - 'SentinelOne'
      - 'Carbon Black'
      - 'Windows Defender'
      - 'Sysmon'
    param2: 'stopped'
  condition: selection
tags:
  - attack.impair_defenses    # new v19 tactic tag
  - attack.t1562.001
level: high

The mental model shift: Impair Defenses requires monitoring for control integrity, not just event anomalies. Your security controls should be monitored like production services — with uptime checks, not just log analysis.

T1562 Is Retired — Here’s the Impact

T1562 (Impair Defenses) was both a technique and the name of the tactic it’s becoming. MITRE is retiring T1562 as a technique and elevating the concept to the tactic level. The sub-techniques (T1562.001 through T1562.011) are being reviewed and realigned under the new Impair Defenses tactic.

What this means for your rules:

• Rules targeting T1562.00x sub-techniques are largely unaffected — sub-technique IDs don’t change
• Rules targeting T1562 as a parent technique (broad technique: T1562 filters) will need updating — the parent is gone
• Crosswalk documentation will be published April 28 alongside the release

Audit your rules for broad T1562 parent matches now and flag them for post-release review.

The Operational Difference: Attack Perspective

From a red team perspective, the split reflects real tradecraft. Sophisticated operators separate these two phases deliberately:

Phase 1 — Stealth: Get in quietly. Blend with legitimate traffic. Avoid signature-based detection. Abuse LOLBins. Stay low and slow.

Phase 2 — Impair Defenses: Before executing the noisy part (lateral movement, data exfiltration, ransomware deployment), kill the eyes. Terminate the EDR. Disable AMSI. Wipe the logs. Now move fast.

These aren’t just conceptually different — they’re operationally sequential. You evade first, then you break the defenses before going loud. A red team that skips Phase 2 and just relies on stealth often gets caught during the loud phase. A red team that goes straight to Phase 2 without stealth gets detected before they even reach their target.

The ATT&CK split forces defenders to think about both phases with separate playbooks.

What to Do Before April 28

Immediate actions (before v19 drops)

• Audit all TA0005 references in your SIEM, SOAR playbooks, dashboards, and reports. Document what you have — you’ll need this list for post-release remapping.
• Identify T1562 parent-level rules (not sub-techniques). Flag these for rework — they’ll need new tactic tags once the crosswalk is published.
• Brief your analysts on the conceptual difference. Stealth and Impair Defenses require different immediate responses. When Stealth fires, you investigate quietly. When Impair Defenses fires, you treat it as an active attack in progress.

After April 28

• Apply the MITRE crosswalk to update tactic mappings in your rule library
• Add the new Impair Defenses tactic ID to all relevant rules (it will be published with v19)
• Build absence-of-signal detection: Set up heartbeat monitoring for EDR agents and log volume baselines per host
• Review SOAR routing logic: Stealth and Impair Defenses warrant different response actions — update any playbooks that route on tactic

Longer term

Impair Defenses is a signal that most SOCs have a telemetry gap. Most detection stacks are built to react to events. If your logging pipeline is killed before the attack goes loud, you’re blind. Invest in control integrity monitoring — your security tools need to be watched like production services.

The Detection Mindset Shift

Here’s the cleanest way to think about the split:

The split isn’t just taxonomy cleanup. It’s MITRE telling you that hiding and breaking are different threat models — and they are.

Related Posts

• LOLBins: Living Off the Land Attacks on Windows — Core Stealth techniques: how attackers abuse legitimate Windows binaries to blend in
• BYOVD: Bring Your Own Vulnerable Driver — The extreme end of Impair Defenses: killing EDR at the kernel level
• NTFS Alternate Data Streams: Hiding Payloads in Plain Sight — ADS is a Stealth technique landing squarely in the new TA0005
• Threat Hunting with Wazuh — Detection engineering fundamentals that apply directly to both new tactics

Sources

• Defense Evasion Split: A Tale of Two Tactics — MITRE ATT&CK (Medium)
• MITRE ATT&CK v19: How to Prepare Your SOC for the Defense Evasion Split — D3 Security
• MITRE ATT&CK is Deprecating a Tactic: 3 Takeaways — D3 Security
• MITRE Just Redrew the Map — PacketViper
• ATT&CK Enterprise: Defense Evasion (TA0005)
• ATT&CK Enterprise: Impair Defenses (T1562)