Tamper-Protection Bypass × Microsoft Defender Antivirus

A publicly-reported instance of Tamper-Protection Bypass bypassing Microsoft Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender Antivirus

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-06-05

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-06-05 · original source · via exa
www.cibersecurity.io
disclosed 2024-06-24 · original source · via exa

Reported as

This blinds Microsoft Defender for Endpoint (MDE) telemetry and activity monitoring

Mechanism

The PoC uses admin privileges to obtain TrustedInstaller token, deletes the WdFilter altitude registry key, causing the minidriver to unload after reboot or wait. Then it modifies TamperProtection and Real-time Monitoring registry keys to disable Defender/MDE components.

Detection & mitigation

Monitor for deletion or modification of the WdFilter altitude registry key (HKLM\SYSTEM\CurrentControlSet\Services\WdFilter\Instances\WdFilter Instance\Altitude) and unexpected changes to Defender tamper protection or real-time monitoring registry keys. Enforce tamper protection via Microsoft Defender for Endpoint's built-in safeguards and restrict TrustedInstaller token abuse by limiting admin privileges and monitoring for token manipulation events (e.g., Event ID 4672 with SeTakeOwnershipPrivilege).

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.