Disable or Modify Tools × Microsoft Defender Antivirus

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender Antivirus

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-06-10

Config / version noted

Not stated

Provenance

www.linkedin.com
disclosed 2025-06-10 · original source · via exa

Reported as

WDAC deny rule targeting MsMpEng.exe disables Defender real-time monitoring

Mechanism

Using the App Control Policy Wizard, an administrator creates a custom WDAC deny rule targeting MsMpEng.exe. The generated policy files are placed in C:\Windows\System32\CodeIntegrity, and after reboot, Defender real-time monitoring is disabled because WDAC blocks the Defender service executable.

Detection & mitigation

Monitor for creation or modification of WDAC policy files in C:\Windows\System32\CodeIntegrity\, especially those containing deny rules for security products like MsMpEng.exe. Enforce tamper protection and restrict local admin privileges to prevent unauthorized policy changes.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.