Bypass Record

Indicator Removal × Microsoft Defender

A publicly-reported instance of Indicator Removal bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

Indicator Removal

MITRE ATT&CK

T1070

Confidence

High

Severity

High

Status

poc

Disclosed

2023-08-11

Config / version noted

Not stated

Provenance

www.safebreach.com
disclosed 2023-08-11 · original source · via exa

Reported as

attackers can trick EDRs into automatically deleting the file

Mechanism

Attackers craft a minimal malicious signature (e.g., 15 characters) that triggers EDR automatic deletion. This signature is remotely injected into non-executable files (e.g., IIS logs via HTTP user-agent) or databases. When the EDR scans the file, it detects the signature and deletes the entire file, causing data loss or DoS. The technique exploits the EDR's detection logic rather than a software vulnerability.

Detection & mitigation

Monitor for unexpected file deletions on critical systems, especially logs and databases, by enabling file integrity monitoring (FIM) and auditing object access (e.g., Windows Event ID 4663). Harden EDR configurations to require confirmation before deleting files and restrict automatic remediation actions on non-executable data stores.

Indicator Removal has also been recorded against

Avast AVG Kaspersky Palo Alto Networks Trend Micro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.