Disable or Modify Tools × Microsoft Windows Defender

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-11-17

Config / version noted

Not stated

Provenance

cyberpress.org
disclosed 2025-11-17 · original source · via exa
gbhackers.com
disclosed 2025-11-17 · original source · via raw

Reported as

SilentButDeadly uses WFP dynamic sessions to block network communication of EDR and AV processes, neutralizing their cloud-dependent security functions. It targets processes like Windows Defender ATP.

Mechanism

SilentButDeadly enumerates EDR/AV processes, then creates high-priority bidirectional WFP filters in a dynamic session to block all network traffic for those processes. This severs cloud connectivity, disabling telemetry, threat intelligence updates, and remote commands without terminating processes or using kernel manipulation. Filters are automatically removed when the tool exits, reducing forensic traces.

Detection & mitigation

Monitor for WFP filter additions via Event ID 5157 (Windows Filtering Platform) or ETW providers like Microsoft-Windows-WFP, especially dynamic sessions targeting security product processes. Mitigation: enforce least-privilege to limit admin rights, and use endpoint logging to alert on unexpected WFP rule creation.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.