Disable or Modify Tools × Microsoft Defender

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2024-03-21

Config / version noted

Not stated

Provenance

blog.talosintelligence.com
disclosed 2024-03-21 · original source · via raw

Reported as

attackers first added exclusions to Microsoft Defender to evade detection

Mechanism

After initial access, Turla adds registry-based exclusions to Microsoft Defender for the implant's directory (e.g., C:\Windows\System32). The TTNG DLL is written to disk and persisted as a Windows service masquerading as 'System Device Manager', executed via svchost.exe. Chisel is deployed to create encrypted tunnels for pivoting and data exfiltration.

Detection & mitigation

Monitor for registry modifications to Windows Defender exclusion paths (e.g., HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths). Detect creation of suspicious services with names like 'sdm' loading DLLs from system32. Use endpoint detection to flag svchost.exe loading unsigned DLLs.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.