Bypass Record

Masquerading × Microsoft Defender

A publicly-reported instance of Masquerading bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

Masquerading

MITRE ATT&CK

T1036

Confidence

High

Severity

High

Status

poc

Disclosed

2025-07-14

Config / version noted

Not stated

Provenance

www.kaspersky.com
disclosed 2025-07-14 · original source · via exa
me-en.kaspersky.com
disclosed 2025-07-15 · original source · via exa

Reported as

Defendnot ... registers a fake antivirus using the Windows Security Center API to disable Microsoft Defender.

Mechanism

Defendnot exploits the Windows Security Center (WSC) API, which normally allows legitimate antivirus to register and prompt Defender to disable itself to avoid conflicts. The tool injects a DLL into Taskmgr.exe (a trusted, signed process) to bypass Protected Process Light (PPL) and signature checks, then registers a fake antivirus, causing Defender to turn off.

Detection & mitigation

Monitor for unexpected WSC API registrations (e.g., via Event ID 300 from Microsoft-Windows-Windows Defender/Operational or changes to HKLM\SOFTWARE\Microsoft\Security Center\Provider) and process injection into signed binaries like Taskmgr.exe using Sysmon Event ID 8 (CreateRemoteThread) or Event ID 10 (ProcessAccess). Mitigate by enforcing application control and restricting WSC API access to authorized security products only.

Masquerading has also been recorded against

Anti Cheat Expert Apple Carbon Black Cortex XDR Easy Anti-Cheat Enigma Protector Gepard Shield Mhyprot nProtect Palo Alto Networks Riot Vanguard Safegine Shielden

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.