Index / Disable or Modify Tools / Microsoft
Bypass Record

Disable or Modify Tools × Microsoft Windows Defender

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product
Microsoft Windows Defender
Technique
Disable or Modify Tools
MITRE ATT&CK
T1562.001
Confidence
High
Severity
High
Status
poc
Disclosed
2026-01-11
Config / version noted
Not stated

Provenance

Reported as

causing the EDR process to terminate itself due to Protected Process Light (PPL) restrictions

Mechanism

Creates a service with higher priority than the target EDR service. Uses Bindlink to redirect a specific DLL (outside KnownDLLs) from System32 to a copy with an invalidated signature. When the EDR process starts, PPL prevents loading the unsigned DLL, causing the process to terminate. The redirect is removed afterward to avoid system-wide impact.

Detection & mitigation

Monitor for creation of services with higher priority than security services, and for Bindlink API calls (e.g., via ETW or Sysmon Event ID 1 with command-line arguments) that redirect DLLs from System32 to unsigned copies. Mitigation includes enforcing least privilege to prevent service creation and protecting the Bindlink configuration from unauthorized changes.

Disable or Modify Tools has also been recorded against

Avast SoftwareCarbon BlackCheck PointCrowdStrikeEasyAntiCheatForcepointKasperskyMalwarebytesmultiple commercial EDR/AV vendorsPalo AltoPalo Alto NetworksRiot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.