Disable or Modify Tools × Microsoft Defender Antivirus

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender Antivirus

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-08-11

Config / version noted

Not stated

Provenance

dazzyddos.github.io
disclosed 2024-08-11 · original source · via raw

Reported as

enumerate exclusions from Windows Defender operational logs without administrative privileges

Mechanism

Attackers enumerate configured exclusions (paths, processes, extensions) via PowerShell cmdlets (admin required) or by parsing Windows Defender operational logs (standard user readable). Once exclusions are known, malware or tools are placed in excluded folders, executed as excluded processes, or use excluded extensions to avoid scanning. This defeats real-time protection and on-demand scans by exploiting the trust model of exclusions.

Detection & mitigation

Monitor Windows Defender operational logs (Event ID 5007) for exclusion modifications and regularly review configured exclusions for anomalies. Implement alerting on suspicious processes executing from or writing to excluded paths, and enforce strict change control on exclusion lists.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.