Disable or Modify Tools × Microsoft Defender Antivirus

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender Antivirus, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender Antivirus

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2026-05-21

Config / version noted

Not stated

Provenance

Huntress
disclosed 2026-05-21 · original source · via ir

Reported as

PowerShell scripts (e.g., Trojan:Win32/MpTamperBulkExcl.H) to tamper with Defender exclusions and disable it

Mechanism

Attackers used RDP with compromised credentials, then attempted to run ransomware encryptor. After Microsoft Defender blocked initial execution, they executed PowerShell scripts (e.g., Trojan:Win32/MpTamperBulkExcl.H) to tamper with Defender exclusions and disable it. They also cleared Windows Event Logs (Security, System, Application) to remove forensic evidence. Scheduled Tasks were used for persistence or lateral movement.

Detection & mitigation

Monitor for Event ID 1102 (Security log cleared) and 104 (System/Application log cleared). Alert on PowerShell commands that modify Defender settings (e.g., Set-MpPreference -DisableRealtimeMonitoring, Add-MpPreference -ExclusionPath). Deploy endpoint detection with tamper protection enabled to prevent unauthorized changes.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.