Index / Disable or Modify Tools / multiple commercial EDR/AV vendors
Bypass Record

Disable or Modify Tools × multiple commercial EDR/AV vendors various commercial EDR/AV products

A publicly-reported instance of Disable or Modify Tools bypassing multiple commercial EDR/AV vendors various commercial EDR/AV products, recorded with its original source. Factual record; no assessment of any specific deployment.

Product
multiple commercial EDR/AV vendors various commercial EDR/AV products
Technique
Disable or Modify Tools
MITRE ATT&CK
T1562.001
Confidence
Medium
Severity
High
Status
poc
Disclosed
2026-01-11
Config / version noted
Not stated

Provenance

Reported as

targets the EDR before it fully starts by running as a higher-priority service, effectively preventing endpoint protection from loading

Mechanism

Creates a service with higher priority than the target EDR service. Uses Bindlink to redirect a specific DLL (outside KnownDLLs) from System32 to a copy with an invalidated signature. When the EDR process starts, PPL prevents loading the unsigned DLL, causing the process to terminate. The redirect is removed afterward to avoid system-wide impact.

Detection & mitigation

Monitor for creation of services with higher priority than security services, and for Bindlink API calls (e.g., via ETW or Sysmon Event ID 1 with command-line arguments) that redirect DLLs from System32 to unsigned copies. Mitigation includes enforcing least privilege to prevent service creation and protecting the Bindlink configuration from unauthorized changes.

Disable or Modify Tools has also been recorded against

Avast SoftwareCarbon BlackCheck PointCrowdStrikeEasyAntiCheatForcepointKasperskyMalwarebytesMicrosoftPalo AltoPalo Alto NetworksRiot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.