Tamper-Protection Bypass × Microsoft Windows Defender Attack Surface Reduction

A publicly-reported instance of Tamper-Protection Bypass bypassing Microsoft Windows Defender Attack Surface Reduction, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender Attack Surface Reduction

Technique

Tamper-Protection Bypass

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

unknown

Disclosed

2023-09-12

Config / version noted

Not stated

Provenance

www.sentinelone.com
disclosed 2023-09-12 · original source · via exa
radar.offseq.com
disclosed 2023-09-12 · original source · via raw

Reported as

CVE-2023-38163 is a security feature bypass vulnerability in Microsoft Windows Defender Attack Surface Reduction (ASR) rules.

Mechanism

The vulnerability exploits a flaw in ASR rule enforcement logic, allowing specially crafted files or actions to evade detection and bypass rules that normally block behaviors like script execution, process injection, or credential dumping. It requires local access and user interaction (e.g., phishing).

Detection & mitigation

Monitor Windows Event Logs for ASR rule bypass events (e.g., Event ID 1121 or 1122) and correlate with unexpected process or script executions. Mitigate by applying the CVE-2023-38163 security update and enforcing strict user access controls to limit local interaction.

Tamper-Protection Bypass has also been recorded against

AppSealing Arxan BeyondTrust Broadcom (Symantec)Byfron CrowdStrike DANA Elastic FireEye Kemco LoGiC.NET McAfee

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.