Defending the Defender (ATP)

I’ve read a great article by Alex Kefallonitis on his LinkedIn page with a simple hack to bypass Microsoft Defender ATP and today he replied to his story that this also works with tamper protection enabled. Unfortunately, I haven’t been able to reproduce a good way to disable tamper protection in a stealthy way, like removing the registry key.

So it’s a great moment to share a way to detect this.

If you sign in to https://securitycenter.windows.com you can go to advanced hunting:

Advanced hunting.

enter the following query:

or if you like to copy and paste:

and click on create detection rule:

MITRE technique is: T1089

on the next page you could set isolation:

And as soon as you press next and save, you’re all set.