Defending the Defender (ATP)
I’ve read a great article by Alex Kefallonitis on his LinkedIn page with a simple hack to bypass Microsoft Defender ATP and today he replied to his story that this also works with tamper protection enabled. Unfortunately, I haven’t been able to reproduce a good way to disable tamper protection in a stealthy way, like removing the registry key.
So it’s a great moment to share a way to detect this.
If you sign in to https://securitycenter.windows.com you can go to advanced hunting:
enter the following query:
or if you like to copy and paste:
and click on create detection rule:
on the next page you could set isolation:
And as soon as you press next and save, you’re all set.