Disable or Modify Tools × Microsoft Defender for Endpoint

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender for Endpoint, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2024-12-01

Config / version noted

Not stated

Provenance

cloudbrothers.info
disclosed 2024-12-01 · original source · via exa
cloudbrothers.info
disclosed 2024-12-01 · original source · via exa

Reported as

By adding NRPT rules that redirect DNS queries for EDR cloud endpoints to localhost, the agent is unable to resolve its required domains, effectively silencing it.

Mechanism

The attacker uses the Add-DnsClientNrptRule PowerShell cmdlet to insert entries into the NRPT, mapping EDR-related FQDNs (e.g., endpoint.security.microsoft.com) to 127.0.0.1. The Windows DNS client checks the NRPT first; if a match is found, it uses the specified nameserver instead of the default DNS, causing DNS resolution to fail and preventing the EDR agent from sending telemetry.

Detection & mitigation

Monitor for the execution of Add-DnsClientNrptRule or direct registry modifications to HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig, which indicate NRPT tampering. Mitigate by enforcing least-privilege access, restricting administrative rights, and using EDR tamper protection features that alert on or prevent such configuration changes.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.