Bypass Record

EDR Unhooking × Microsoft Defender for Endpoint (WdFilter.sys)

A publicly-reported instance of EDR Unhooking bypassing Microsoft Defender for Endpoint (WdFilter.sys), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint (WdFilter.sys)

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-06-01

Config / version noted

Not stated

Provenance

github.com
disclosed 2023-06-01 · original source · via exa
gist.github.com
disclosed 2023-06-01 · original source · via exa

Reported as

removes kernel callbacks from EDR drivers like Microsoft Defender (WdFilter.sys) without using a vulnerable driver

Mechanism

Uses GodFault to bless a thread with kernel privileges, then directly patches kernel callback arrays and ETW provider structures in memory to remove EDR monitoring without loading any driver.

Detection & mitigation

Monitor for suspicious kernel callback modifications using ETW providers like Microsoft-Windows-Threat-Intelligence and Kernel-Process events; detect anomalous thread token elevation (e.g., SeDebugPrivilege assignment to non-system processes) and deploy hypervisor-based integrity checks (e.g., VBS) to prevent unauthorized kernel memory writes.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike Elastic major EDR vendor (unnamed)Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.