Disable or Modify Tools × various AV/EDR vendors various endpoint security products with exclusion features

A publicly-reported instance of Disable or Modify Tools bypassing various AV/EDR vendors various endpoint security products with exclusion features, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

various AV/EDR vendors various endpoint security products with exclusion features

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2024-08-11

Config / version noted

Not stated

Provenance

dazzyddos.github.io
disclosed 2024-08-11 · original source · via raw

Reported as

abuse antivirus/EDR exclusion paths, processes, and extensions to bypass detection

Mechanism

Attackers enumerate configured exclusions (paths, processes, extensions) via PowerShell cmdlets (admin required) or by parsing Windows Defender operational logs (standard user readable). Once exclusions are known, malware or tools are placed in excluded folders, executed as excluded processes, or use excluded extensions to avoid scanning. This defeats real-time protection and on-demand scans by exploiting the trust model of exclusions.

Detection & mitigation

Monitor Windows Defender operational logs (Event ID 5007) for exclusion modifications and regularly review configured exclusions for anomalies. Implement alerting on suspicious processes executing from or writing to excluded paths, and enforce strict change control on exclusion lists.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.