Bypass Record
Disable or Modify Tools × Microsoft Windows Defender
A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
A malicious LNK file inside a ZIP archive executes an embedded PowerShell command that downloads and runs an HTA file from a CDN. The HTA executes JavaScript to decode and run a PowerShell decrypter, which loads a PowerShell loader in memory. The loader drops a batch script that uses FoDHelper.exe to bypass UAC and adds the ProgramData folder to Windows Defender exclusions, then downloads and executes the final infostealer payload from that excluded folder.
Detection & mitigation
Monitor for suspicious LNK file execution spawning PowerShell with encoded commands or downloading from CDN domains. Detect batch scripts adding Windows Defender exclusions via PowerShell (Add-MpPreference -ExclusionPath). Audit FoDHelper.exe execution and registry modifications under HKCU\Software\Classes\ms-settings\shell\open\command. Block execution of scripts from temporary folders and restrict ProgramData write permissions.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.