Disable or Modify Tools × Microsoft Defender

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-05-29

Config / version noted

Not stated

Provenance

cybernoz.com
disclosed 2024-05-29 · original source · via raw

Reported as

disables Microsoft Defender and firewall by abusing the undocumented Windows Security Center (WSC) API

Mechanism

The tool reverse-engineers the WSC API, which allows registered antivirus products to signal their presence to Windows, thereby disabling Defender. It leverages a signed Avast executable (wsc_proxy.exe) to interact with the WSC service and register a fake AV, effectively turning off Defender and firewall. The technique requires admin rights and persists across reboots by adding the Avast module to autorun.

Detection & mitigation

Monitor for unexpected changes to Windows Security Center registrations, such as the appearance of unknown antivirus products. Alert on the execution of wsc_proxy.exe outside of legitimate Avast installations, and enforce least-privilege access to limit admin account usage.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.