Tamper-Protection Bypass × Microsoft Windows Defender

A publicly-reported instance of Tamper-Protection Bypass bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-06-12

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-06-12 · original source · via exa

Reported as

targets multiple EDR products, including Windows Defender

Mechanism

Uses MoveFileEx API via registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations to schedule file moves/deletions at next boot, before EDR services start. The script automates creation of the REG_MULTI_SZ entries for known EDR installation paths, moving them to a backup suffix (e.g., _bak) so they fail to load.

Detection & mitigation

Monitor modifications to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations for entries targeting EDR installation directories or critical system files. Enforce least-privilege access and enable tamper protection features that prevent unauthorized registry changes to this key.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.