Disable or Modify Tools × Sysmon

A publicly-reported instance of Disable or Modify Tools bypassing Sysmon, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Sysmon

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-02-27

Config / version noted

Not stated

Provenance

binarydefense.com
disclosed 2026-02-27 · original source · via exa

Reported as

modifies ACLs on kernel32.dll to add Deny ACEs for Windows Defender and Sysmon service identities, preventing them from starting after reboot

Mechanism

With admin rights, the tool adds Deny ACEs to the ACL of kernel32.dll targeting specific service SIDs. When the system reboots, the services cannot read kernel32.dll, breaking their dependency chain and preventing them from starting. The effect is delayed until reboot, making immediate detection difficult.

Detection & mitigation

Monitor for Windows Security Event ID 4670 (permissions change) on critical system files like kernel32.dll, especially when the new ACL includes Deny ACEs targeting security service SIDs (e.g., Windows Defender, Sysmon). Mitigate by enforcing least-privilege admin access, hardening ACLs on key DLLs, and using file integrity monitoring to alert on unauthorized permission changes.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.