Bypass Record
Disable or Modify Tools × Velociraptor
A publicly-reported instance of Disable or Modify Tools bypassing Velociraptor, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
Attackers deploy a WDAC policy (as a .cip file) that contains block rules targeting EDR executables, drivers, or file paths. The policy is applied via WMI or direct file placement, then the system is rebooted to enforce it. WDAC blocks the specified EDR binaries from executing, effectively disabling the security agent. Rules can use file path, file name, file description, or file signature attributes. Kernel-mode drivers cannot be blocked by file path rules, but user-mode components and some drivers can be stopped.
Detection & mitigation
Monitor for creation or modification of WDAC policy files (*.cip) in %SystemRoot%\System32\CodeIntegrity\ and policy activation events (e.g., WMI activity, Event ID 3099). Mitigation: enforce WDAC policies via a secure, centrally managed process and restrict local policy modification to authorized administrators only.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.