Index / Disable or Modify Tools / CrowdStrike
Bypass Record

Disable or Modify Tools × CrowdStrike Falcon

A publicly-reported instance of Disable or Modify Tools bypassing CrowdStrike Falcon, recorded with its original source. Factual record; no assessment of any specific deployment.

Product
CrowdStrike Falcon
Technique
Disable or Modify Tools
MITRE ATT&CK
T1562.001
Confidence
High
Severity
Critical
Status
in the wild
Disclosed
2025-08-28
Config / version noted
Not stated

Provenance

Reported as

WDAC policies are being used by threat actors to block endpoint detection and response (EDR) agents... The technique remains effective against many EDR products

Mechanism

Attackers deploy a WDAC policy (as a .cip file) that contains block rules targeting EDR executables, drivers, or file paths. The policy is applied via WMI or direct file placement, then the system is rebooted to enforce it. WDAC blocks the specified EDR binaries from executing, effectively disabling the security agent. Rules can use file path, file name, file description, or file signature attributes. Kernel-mode drivers cannot be blocked by file path rules, but user-mode components and some drivers can be stopped.

Detection & mitigation

Monitor for creation or modification of WDAC policy files (*.cip) in %SystemRoot%\System32\CodeIntegrity\ and policy activation events (e.g., WMI activity, Event ID 3099). Mitigation: enforce WDAC policies via a secure, centrally managed process and restrict local policy modification to authorized administrators only.

Disable or Modify Tools has also been recorded against

Avast SoftwareCarbon BlackCheck PointEasyAntiCheatForcepointKasperskyMalwarebytesMicrosoftmultiple commercial EDR/AV vendorsPalo AltoPalo Alto NetworksRiot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.