Bypass Record

Rootkit × Microsoft Windows Patch Guard

A publicly-reported instance of Rootkit bypassing Microsoft Windows Patch Guard, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Patch Guard

Technique

Rootkit

MITRE ATT&CK

T1014

Confidence

High

Severity

High

Status

poc

Disclosed

2024-02-25

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-02-25 · original source · via exa

Reported as

method to bypass Windows Patch Guard by hooking NtCreateFile and NtOpenProcess, tested on Windows 10 22H2

Mechanism

Hooks NtCreateFile and NtOpenProcess to bypass Patch Guard, avoiding system crashes for extended periods. This defeats kernel integrity protections, potentially allowing undetected malicious kernel-mode activity.

Detection & mitigation

Monitor for kernel-mode hooks on critical system calls like NtCreateFile and NtOpenProcess using integrity-checking tools or ETW providers (e.g., Microsoft-Windows-Threat-Intelligence). Deploy Virtualization-Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) to enforce kernel integrity and prevent unauthorized modifications.

Rootkit has also been recorded against

Avast AVG Avira Elastic Faceit HitmanPro Kaspersky Valve

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.