Bypass Record

Indicator Removal × Microsoft Defender

A publicly-reported instance of Indicator Removal bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

Indicator Removal

MITRE ATT&CK

T1070

Confidence

High

Severity

High

Status

poc

Disclosed

2024-04-22

Config / version noted

Not stated

Provenance

winbuzzer.com
disclosed 2024-04-22 · original source · via exa

Reported as

attackers can remotely delete legitimate files by inserting malware byte signatures into them, causing false-positive detections

Mechanism

Attackers embed known malware byte signatures into benign files (e.g., databases, VMs) via user inputs like website registrations or comments. The EDR/AV scans the file, matches the signature, and deletes or quarantines the file as a false positive, causing denial of service. The technique defeats the security product's own detection logic, not a bypass of detection, but an abuse of it.

Detection & mitigation

Monitor for anomalous file deletion events originating from security product processes (e.g., MsMpEng.exe, avp.exe) targeting non-malicious file types like databases or VM images. Correlate with user input channels (web forms, comments) to detect injection of known malware signatures; mitigate by applying vendor patches and implementing application-level input validation to strip binary signatures from user-supplied content.

Indicator Removal has also been recorded against

Avast AVG Kaspersky Palo Alto Networks Trend Micro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.