Bypass Record
EDR Unhooking × Sophos Intercept X
A publicly-reported instance of EDR Unhooking bypassing Sophos Intercept X, recorded with its original source. Factual record; no assessment of any specific deployment.
Mechanism
Technique 1: Sets hardware breakpoints on syscall/return of hooked Nt functions; an exception handler swaps benign parameters for malicious ones after EDR inspection. Technique 2: Passes an invalid memory address to trigger a CPU exception inside the EDR's hook handler, then uses an exception handler to fix the stack and redirect EDR's pointer inspection to a fake empty context structure.
Detection & mitigation
Monitor for processes setting hardware breakpoints (e.g., via SetThreadContext or direct DR register writes) and installing vectored exception handlers, which are uncommon in normal software. Deploy kernel-mode callbacks (PsSetCreateProcessNotifyRoutine, ObRegisterCallbacks) and ETW-based syscall monitoring to detect parameter manipulation post-hook, and ensure EDR sensors validate integrity of their user-mode hooks and exception handlers.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.