Disable or Modify Tools × Microsoft Defender for Endpoint

A denial-of-service vulnerability in multiple Windows EDR products allows a low-privileged user to permanently disable the agent after a reboot by preemptively registering an ALPC port name used by the EDR.

An attacker with low privileges registers a specific ALPC port name (e.g., via a scheduled task at user logon) before the EDR agent starts. When the EDR attempts to register the same port, the initialization fails because the port already exists, causing the user-mode service to crash or enter a non-functional state. This bypasses detection because kernel components lack detection logic (except partially in CrowdStrike).

Monitor for unexpected ALPC port registrations by non-EDR processes, especially those matching known EDR port names, using tools like Sysmon Event ID 7 (Image Loaded) or custom ETW providers. Mitigate by ensuring EDR agents verify port availability before initialization and implement fallback mechanisms, and restrict low-privileged users from creating ALPC ports via security policy.