Disable or Modify Tools × Microsoft Defender Antivirus

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender Antivirus

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

Critical

Status

poc

Disclosed

2023-06-01

Config / version noted

Not stated

Provenance

www.threatlocker.com
disclosed 2023-06-01 · original source · via raw

Reported as

tool claims to work against vendors including... Windows Defender... disables tamper protection and terminates the on-premise agents

Mechanism

The tool reportedly disables tamper-proof functionality and terminates the endpoint agent process, preventing the security product from providing protection. The exact technical method (e.g., kernel driver abuse, process termination, or tamper bypass) is not detailed in the article.

Detection & mitigation

Monitor for unexpected termination of security agent processes (e.g., via Sysmon Event ID 5 or Windows Security Event 4689) and attempts to disable tamper protection. Implement application allowlisting to block unauthorized executables from running.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.