Tamper-Protection Bypass × Microsoft Defender for Endpoint

A publicly-reported instance of Tamper-Protection Bypass bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-10-10

Config / version noted

Not stated

Provenance

labs.infoguard.ch
disclosed 2025-10-10 · original source · via exa
cybersecuritynews.com
disclosed 2025-10-11 · original source · via raw

Reported as

Microsoft Defender for Endpoint's cloud backend does not validate authentication tokens on several endpoints

Mechanism

By patching Defender's certificate pinning in memory, researchers intercepted cloud traffic and found that the /edr/commands/cnc endpoint ignores Authorization tokens and Msadeviceticket. An attacker who knows the machine-ID and tenant-ID (obtainable by low-privileged users) can send requests to this pull-based endpoint and receive commands before the legitimate agent, then spoof responses or upload fake data to provided Azure Blob URIs.

Detection & mitigation

Monitor for unauthorized modifications to Defender's certificate pinning in memory (e.g., via API hooking or memory patching) using EDR telemetry or integrity checks. Enforce tamper protection, restrict local admin privileges, and validate cloud-side authentication tokens to prevent command hijacking.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.