Disable or Modify Tools × Microsoft Defender for Endpoint

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2025-09-29

Config / version noted

Not stated

Provenance

prevent-ransomware.com
disclosed 2025-09-29 · original source · via raw

Reported as

malicious WDAC policies ... block EDR executables, drivers, and services, effectively disabling endpoint detection

Mechanism

Attackers create and deploy malicious WDAC policies that deny execution of EDR components. Policies are placed in system-critical paths (e.g., EFI partition) to load early in boot, before EDR agents start, or pushed via Group Policy Objects for persistence. This prevents EDR sensors from loading, leaving endpoints unmonitored.

Detection & mitigation

Monitor for unauthorized WDAC policy changes, especially those placed in EFI system partition or deployed via GPO. Enforce signed WDAC policies and use tamper-protection mechanisms that prevent policy modification. Implement boot-time integrity checks to detect policy tampering before EDR initialization.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.