Disable or Modify Tools

Name: Disable or Modify Tools — EDR bypass record
Creator: ColdRecon

Publicly-reported instances of Disable or Modify Tools bypassing endpoint security products. Maintained on the same basis for every technique in the Index.

recorded bypasses

products affected

Products recorded as bypassed by Disable or Modify Tools

Product	Entries	High-confidence	Most recent
Microsoft	17	16	2026-05-21
Palo Alto Networks	6	6	2025-03-19
CrowdStrike	5	3	2025-09-29
SentinelOne	4	3	2025-11-17
Trend Micro	2	2	2024-07-14
multiple commercial EDR/AV vendors	1	0	2026-01-11
Riot Games	1	1	2025-06-26
Kaspersky	1	1	2023-09-13
Carbon Black	1	0	2023-06-01
Velociraptor	1	1	2025-08-28
Tanium	1	1	2025-08-28
Palo Alto	1	1	2023-09-13
Talsec	1	1	2024-12-05
Malwarebytes	1	1	2023-09-13
Avast Software	1	1	2025-11-11
Forcepoint	1	1	2026-03-26
Check Point	1	1	2023-09-13
VMware	1	1	2024-05-22
various AV/EDR vendors	1	0	2024-08-11
EasyAntiCheat	1	1	2024-07-02
Sysmon	1	1	2026-02-27
Symantec	1	1	2025-08-28

All entries

Product	Confidence	Disclosed	Source
Microsoft	high	2026-05-21	Huntress	record →
Forcepoint	high	2026-03-26	gist.github.com	record →
Sysmon	high	2026-02-27	binarydefense.com	record →
Microsoft	high	2026-02-27	binarydefense.com	record →
multiple commercial EDR/AV vendors	medium	2026-01-11	cybernoz.com	record →
Microsoft	high	2026-01-11	cybernoz.com	record →
SentinelOne	high	2025-11-17	cyberpress.org	record →
Microsoft	high	2025-11-17	cyberpress.org	record →
Avast Software	high	2025-11-11	nvd.nist.gov	record →
Microsoft	high	2025-10-15	windowsforum.com	record →
Microsoft	high	2025-09-29	prevent-ransomware.com	record →
CrowdStrike	high	2025-09-29	prevent-ransomware.com	record →
Symantec	high	2025-08-28	beierle.win	record →
Tanium	high	2025-08-28	beierle.win	record →
Velociraptor	high	2025-08-28	beierle.win	record →
SentinelOne	high	2025-08-28	beierle.win	record →
CrowdStrike	high	2025-08-28	beierle.win	record →
Microsoft	high	2025-08-28	beierle.win	record →
Riot Games	high	2025-06-26	github.com	record →
Microsoft	high	2025-06-15	github.com	record →
Microsoft	high	2025-06-10	www.linkedin.com	record →
Microsoft	high	2025-04-08	www.sentinelone.com	record →
Palo Alto Networks	high	2025-03-19	security.paloaltonetworks.com	record →
CrowdStrike	high	2025-03-06	securityaid.co.uk	record →
Palo Alto Networks	high	2025-02-12	security.paloaltonetworks.com	record →
Talsec	high	2024-12-05	regne.me	record →
Microsoft	high	2024-12-01	cloudbrothers.info	record →
Palo Alto Networks	high	2024-10-15	feedly.com	record →
Microsoft	high	2024-08-11	dazzyddos.github.io	record →
various AV/EDR vendors	medium	2024-08-11	dazzyddos.github.io	record →
Palo Alto Networks	high	2024-08-07	feedly.com	record →
Trend Micro	high	2024-07-14	www.satyamrastogi.com	record →
EasyAntiCheat	high	2024-07-02	cheater.ninja	record →
Palo Alto Networks	high	2024-06-12	blog.scrt.ch	record →
Microsoft	high	2024-05-29	cybernoz.com	record →
VMware	high	2024-05-22	ctid.mitre.org	record →
Microsoft	high	2024-04-24	gbhackers.com	record →
Microsoft	high	2024-03-21	blog.talosintelligence.com	record →
Check Point	high	2023-09-13	labs.infoguard.ch	record →
Microsoft	high	2023-09-13	labs.infoguard.ch	record →
Palo Alto	high	2023-09-13	labs.infoguard.ch	record →
Trend Micro	high	2023-09-13	labs.infoguard.ch	record →
Malwarebytes	high	2023-09-13	labs.infoguard.ch	record →
SentinelOne	high	2023-09-13	labs.infoguard.ch	record →
CrowdStrike	medium	2023-09-13	labs.infoguard.ch	record →
Kaspersky	high	2023-09-13	labs.infoguard.ch	record →
Palo Alto Networks	high	2023-07-07	github.com	record →
CrowdStrike	medium	2023-06-01	www.threatlocker.com	record →
SentinelOne	medium	2023-06-01	www.threatlocker.com	record →
Carbon Black	medium	2023-06-01	www.threatlocker.com	record →
Microsoft	medium	2023-06-01	www.threatlocker.com	record →

Counts reflect distinct publicly-reported events on record; absence of an entry means no confirmed public report is on file.