Hackers Disable Microsoft Defender, Sysmon & WAF Before Using Mimikatz for Credential Theft

Hackers disabled Defender, Sysmon and WAF before deploying Mimikatz to steal credentials, exposing advanced cyberattack tactics.

Cybercriminals continue to refine their attack strategies, prioritizing stealth and persistence before launching credential theft operations. A recently uncovered cyberattack demonstrates how modern threat actors systematically disable security tools, erase digital footprints, and weaken enterprise defenses before deploying credential-stealing malware.

Security researchers uncovered an advanced intrusion in which attackers disabled Microsoft Defender, terminated Sysmon, removed a Web Application Firewall (WAF), and eventually used the notorious Mimikatz tool to extract sensitive credentials from compromised systems. The incident serves as another reminder that organizations must strengthen their detection capabilities and maintain a comprehensive incident response strategy to defend against increasingly sophisticated cyber threats.

Attack Began with a Compromised Web Server

According to security researchers, the attack started on June 7 after threat actors gained access to a compromised web server. Initial reconnaissance activity appeared routine, with attackers executing basic system enumeration commands to understand the environment.

However, security analysts soon detected suspicious processes originating from a legitimate IIS worker process, prompting a deeper investigation. Their analysis revealed a hidden webshell concealed within an image file using steganography—a technique that embeds malicious code inside seemingly harmless files to evade detection.

The malicious webshell allowed attackers to maintain access to the server and repeatedly return even after initial remediation efforts, enabling them to expand their foothold within the environment.

Systematic Defense Evasion Before Credential Theft

Rather than immediately attempting to steal credentials, the attackers focused on dismantling the organization’s security infrastructure.

Researchers recovered a batch script that executed a carefully planned sequence of defense evasion techniques designed to minimize visibility throughout the attack.

The attackers:

  • Disabled IIS HTTP logging to hide malicious web activity.
  • Turned off key Microsoft Defender protections, including real-time monitoring, behavior monitoring, script scanning, and automatic sample submission.
  • Executed additional PowerShell scripts to reinforce Defender modifications while deleting traces afterward.
  • Terminated and removed critical monitoring tools, including Sysmon, Filebeat, and multiple endpoint protection solutions.
  • Leveraged Windows configuration settings to freeze security applications by forcing them into debugger mode.
  • Enumerated IIS websites before uninstalling the ModSecurity Web Application Firewall (WAF), removing an important layer of protection against common web-based attacks.

By disabling these defensive controls first, the attackers significantly reduced the likelihood of detection during the later stages of the intrusion.

Mimikatz Used for Credential Dumping

Once the security infrastructure had been weakened, the attackers shifted their focus to credential theft.

The campaign modified the Windows WDigest authentication setting, forcing the operating system to store user credentials in plaintext memory instead of a protected format. This change allowed attackers to retrieve passwords more easily.

The threat actors then:

  • Extracted ODBC credentials stored within the Windows Registry.
  • Executed additional credential collection utilities that stored harvested information in local files.
  • Loaded the Mimikatz kernel driver to dump credentials directly from system memory.
  • Deleted evidence of the tools after completing the operation.

Researchers also discovered additional commented-out code capable of automatically clearing Windows Event Logs and manipulating system permissions, indicating the attackers had prepared for further escalation if necessary.

Attackers Attempted to Erase All Evidence

To cover their tracks, the attackers removed temporary files, deleted registry entries associated with Windows scripting components, and cleared Security, System, and Application event logs.

Fortunately, security analysts detected the malicious activity early enough to contain the intrusion before any confirmed data exfiltration occurred. The incident highlights the importance of continuous monitoring and rapid incident response in limiting the impact of advanced cyberattacks.

Lessons for Organizations

This attack demonstrates that modern cybercriminals are increasingly focused on neutralizing security controls before executing their primary objectives. Organizations should strengthen their cyber resilience by adopting layered security practices, including:

  • Keeping operating systems and applications fully patched.
  • Maintaining comprehensive logging across servers and endpoints.
  • Deploying robust endpoint detection and response (EDR) solutions.
  • Restricting internet-facing infrastructure behind firewalls or VPNs wherever possible.
  • Monitoring for unusual PowerShell activity and unauthorized security configuration changes.
  • Completing incident response and remediation efforts before restoring compromised systems to production.

Final Thoughts

The incident illustrates how today’s threat actors are combining stealth, persistence, and sophisticated defense evasion techniques to maximize the success of credential theft campaigns. By disabling Microsoft Defender, removing monitoring tools, uninstalling web application firewalls, and leveraging Mimikatz only after weakening the environment, attackers significantly increase their chances of remaining undetected.

As cyber threats continue to evolve, organizations must move beyond traditional perimeter defenses and adopt proactive monitoring, layered security controls, and comprehensive incident response processes to detect and stop attacks before they escalate into large-scale breaches.

Read more: Top 10 AI Security Companies to Watch in 2026

GlobalBizOutlook is the platform that provides you with best business practices delivered by individuals, companies, and industries around the globe. Learn more

GlobalBizOutlook is the platform that provides you with best business practices delivered by individuals, companies, and industries around the globe. Learn more

Advertise with GlobalBiz Outlook

Request Media Kit to get Following:

  • Detailed Demographic Data
  • Affilate Partnership Opportunities
  • Subscription Plans as per Business Size

Enter Your Details to Read the Magazine

Advertise with GlobalBiz Outlook

Are you looking to reach your target audience?

Fill the details to get 

  • Detailed demographic data
  • Affiliate partnership opportunities
  • Subscription Plans as per Business Size