What is the token removal technique to disable Windows Defender, and what are its requirements?

The token removal technique exploits the fact that the Windows Defender process (MsMpEng.exe) runs as a **Protected Process Light (PPL)**. By using a thread with **SYSTEM privileges**, an attacker can remove all tokens from MsMpEng.exe, preventing it from accessing other process resources and thus disabling its detection capabilities. This method requires SYSTEM privileges and is demonstrated by tools like KillDefender. Defenses include using tools such as PPLGuard to block non-PPL processes from modifying PPL tokens. See the Penetration Basics - Windows Defender article for the full POC reference and defense recommendations.