Bypass Record

EDR Unhooking × SentinelOne Singularity

A publicly-reported instance of EDR Unhooking bypassing SentinelOne Singularity, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

SentinelOne Singularity

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2025-12-07

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-12-07 · original source · via exa
github.com
disclosed 2025-12-09 · original source · via exa

Reported as

bypassing products like SentinelOne

Mechanism

The tool reads a clean clr.dll from disk, locates the original nLoadImage function bytes, and overwrites the hooked version in memory. This defeats EDR/AV hooks that intercept .NET assembly loads at the native CLR level, operating below AMSI and ETW.

Detection & mitigation

Monitor for suspicious memory write operations targeting clr.dll, especially writes that restore original function bytes from a clean on-disk copy. Deploy integrity checks on critical CLR functions and enforce kernel callbacks or hypervisor-based protections to prevent unauthorized in-memory patching of security-critical DLLs.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike Elastic major EDR vendor (unnamed)Microsoft Palo Alto Networks Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.