From 36e3dc18b1511f85f600dd6dc864f5500dcedaa3 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Mon, 29 Sep 2025 14:57:41 +0200
Subject: [PATCH] Update av-bypass.md

---
 src/windows-hardening/av-bypass.md | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md
index 73592a965..529e09e75 100644
--- a/src/windows-hardening/av-bypass.md
+++ b/src/windows-hardening/av-bypass.md
@@ -937,18 +937,8 @@ Post-exploitation options
 rmdir "C:\ProgramData\Microsoft\Windows Defender\Platform\5.18.25070.5-0"
 ```
 
-Detection ideas
-- Alert on new directory reparse points under `C:\ProgramData\Microsoft\Windows Defender\Platform\`.
-- Watch for new version-looking folder names exceeding known Defender versions.
-- Detect Defender binaries executing from non-standard paths (e.g., `C:\TMP\`).
-- Sysmon telemetry: FileCreate (Event ID 11) with ReparsePoint/Symlink in that path; process starts for `MsMpEng.exe` with unexpected image path.
-
-Hardening tips
-- Enforce allow-listed execution paths with WDAC/AppLocker; prohibit Defender from running outside trusted directories.
-- Continuously validate Defender’s configured platform path; remediate anomalies.
-- Keep Tamper Protection enabled; monitor for Defender platform location changes.
-
-> Note: This technique does not provide privilege escalation by itself; it requires admin rights.
+> [!TIP]
+> Note that This technique does not provide privilege escalation by itself; it requires admin rights.
 
 ## References