Golang PoC that sandboxes Defender (or other PPL) by setting its token integrity to Untrusted, effectively turning it useless.
This is possible due to the fact that using PROCESS_QUERY_LIMITED_INFORMATION to open a protected process is enough (in contrast to what MSDN documentation states) to get a handle to its access token.
MsMpEng.exe (Windows Defender) runs as PPL
All sorts of privileges are enabled and token integrity is System
In the original research all the privileges are manually stripped off from the process, besides changing the token integrity.
It seems that this first step is not necessary, since only by setting the integrity level to Untrusted the same goal is achieved.
The program needs to run with SYSTEM privileges, otherwise the OpenProcessToken call will fail because the Owner of the target token is NT AUTHORITY\SYSTEM.