Disable-TamperProtection
A POC to disable TamperProtection and other Defender / MDE components
It is possible to abuse SYSTEM / TrustedInstaller privileges to tamper or delete WdFilter settings (ALTITUDE regkey) and unload the kernel minidriver to disable Tamper protection and other Defender components. This also affects Microsoft's Defender for Endpoint (MDE), blinding MDE of telemetry and activity performed on a target.
An example, to use the POC is as follows:
1 — Unload WdFilter
2 — Disable Tamper Protection
3 — Disable Defender / MDE components
4 — Reinstate / restore the WdFilter
Blog: Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components
POC Demo: https://youtu.be/MI6aVDHRix8
This vulnerability, during testing was found to affect the following versions of Windows:
• Windows Server 2022 until BuildLabEx Version: 20348.1.amd64fre.fe_release.210507-1500 (April 2024 update)
• Windows Server 2019
• Windows 10 until BuildLabEx Version: 19041.1.amd64fre.vb_release.191206-1406 (April 2024 update)
• Windows 11 until BuildLabEx Version: 22621.1.amd64fre.ni_release.220506-1250 (Sep 2023 update).
A POC to disable TamperProtection and other Defender / MDE components
It is possible to abuse SYSTEM / TrustedInstaller privileges to tamper or delete WdFilter settings (ALTITUDE regkey) and unload the kernel minidriver to disable Tamper protection and other Defender components. This also affects Microsoft's Defender for Endpoint (MDE), blinding MDE of telemetry and activity performed on a target.
An example, to use the POC is as follows:
1 — Unload WdFilter
2 — Disable Tamper Protection
3 — Disable Defender / MDE components
4 — Reinstate / restore the WdFilter
Blog: Breaking through Defender's Gates - Disabling Tamper Protection and other Defender components
POC Demo: https://youtu.be/MI6aVDHRix8
This vulnerability, during testing was found to affect the following versions of Windows:
• Windows Server 2022 until BuildLabEx Version: 20348.1.amd64fre.fe_release.210507-1500 (April 2024 update)
• Windows Server 2019
• Windows 10 until BuildLabEx Version: 19041.1.amd64fre.vb_release.191206-1406 (April 2024 update)
• Windows 11 until BuildLabEx Version: 22621.1.amd64fre.ni_release.220506-1250 (Sep 2023 update).