Windows Defender ACL Blocking: A Silent Technique With Serious Impact

**Executive summary:** This report analyzes a proof-of-concept tool that, with admin privileges, modifies kernel32.dll ACLs to add Deny entries for service SIDs (targeting Windows Defender and Sysmon by default), causing affected services to fail to start after reboot; it documents detection methods (Security Event IDs 4670/4663 and KQL queries) and provides practical defensive guidance.