Bypass Record

EDR Unhooking × Microsoft Windows Defender

A publicly-reported instance of EDR Unhooking bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-06-07

Config / version noted

Not stated

Provenance

www.linkedin.com
disclosed 2023-06-07 · original source · via raw

Reported as

bypasses Windows Defender on fully updated Windows 11

Mechanism

The technique uses a custom unhooking function that identifies and removes inline hooks (JMP instructions) placed by security products in loaded DLLs, then reinjects the original DLL addresses. This restores normal API flow, blinding AV/EDR without killing processes or using packers. The POC also includes anti-sandbox (time trigger), anti-debug, and hook detection functions, combined with process hollowing.

Detection & mitigation

Monitor for processes performing suspicious memory operations such as restoring original DLL bytes from disk or known clean copies, especially when combined with process hollowing or injection. Deploy integrity checks on hooked functions and use kernel-mode callbacks to detect unhooking attempts. Ensure endpoint logging captures API calls like NtProtectVirtualMemory and NtWriteVirtualMemory on security-critical DLLs.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike Elastic major EDR vendor (unnamed)Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.