New 'Defendnot' Tool Exploits Windows to Disable Microsoft Defender

Advisory ID: NCC-CSIRT-2025-006

Summary: 

Cybersecurity researchers have identified a new malicious tool named ‘Defendnot’. This tool can disable Microsoft Defender, the built-in antivirus and endpoint protection software on Windows systems, leaving affected machines vulnerable to further compromise. The threat actors behind this tool appear to be leveraging it as a preliminary stage in larger malware campaigns, allowing for stealthy persistence, lateral movement, and data exfiltration. 

Damage/Probability: HIGH/Critical

Product(s): Windows 10, Windows 11, and Windows Server.

Version(s): All supported versions of Windows 10, 11, and Windows Server 2016 and above

Platform(s): Microsoft Windows

Description: 

Threat actors are using the Defendnot to stealthily disable Microsoft Defender on Windows systems. The tool leverages system utilities, registry modifications, and PowerShell scripts to tamper with Defender settings, effectively bypassing endpoint protection. This allows attackers to deploy additional malware and remain undetected on compromised systems. Organizations using Windows platforms are particularly vulnerable if adequate security hardening and monitoring are not enforced. 

Consequences:  

To mitigate the identified threat, the following steps are recommended:

• Apply the latest security updates from Microsoft.

• Disable unnecessary scripting and administrative tools on user endpoints.

• Inform system administrators and security personnel about this threat.

• Conduct awareness training to recognize suspicious activity or social engineering attempts.

• Ensure Tamper Protection is enabled in Microsoft Defender.

• Use Group Policy or Intune to enforce Defender protection settings.

• Block PowerShell scripts that are unsigned or originate from unknown sources.

• Scan endpoints using an up-to-date Endpoint Detection and Response solution.

• Monitor for and alert on PowerShell execution logs (Event ID 4104), and Defender configuration changes (Event ID 5007)

• Restore any altered Defender settings using centralized policy enforcement.

Solution: 

• Always install the latest security patches and Android OS updates.

• Disable NFC functionality when not in use.

• Only install applications from trusted sources (Google Play Store) and verify app permissions.

• Deploy reputable mobile security solutions that monitor and block NFC abuse.

• Be vigilant about unfamiliar or excessive permissions requested by apps.

References:

• https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/

• https://windowsforum.com/threads/how-defendnot-exploits-windows-defender-a-hidden-threat-to-windows-security.366596/

• https://cybersecuritynews.com/defendnot-disables-windows-defender/

• https://www.tomshardware.com/software/security-software/defendnot-tool-pitched-as-an-even-funnier-way-to-disable-windows-defender

• https://cybersecsentinel.com/defendernot-tool-disables-microsoft-defender-using-taskmgr-injection-and-wsc-abuse/