Bypass Record

EDR Unhooking × CrowdStrike Falcon

A publicly-reported instance of EDR Unhooking bypassing CrowdStrike Falcon, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

CrowdStrike Falcon

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2023-07-06

Config / version noted

Not stated

Provenance

inbits-sec.com
disclosed 2023-07-07 · original source · via exa
github.com
disclosed 2023-07-06 · original source · via exa

Reported as

technique to unhook CrowdStrike Falcon's syscall hooks in ntdll.dll without using VirtualProtect

Mechanism

The technique identifies hooked functions by checking for a jmp after the initial mov r10, rcx. It resolves the hook jump chain through Falcon's DLL, then searches committed private executable memory for the address following the original hook (the return point of the relocated stub). Once found, it overwrites the original hook's jmp with a direct jmp to the relocated stub, bypassing Falcon's hook without calling VirtualProtect.

Detection & mitigation

Monitor for suspicious memory modifications in ntdll.dll, such as unexpected changes to syscall stubs or jumps, using integrity checks or ETW-based telemetry. Deploy kernel-level callbacks or hypervisor-based integrity monitoring to detect and prevent unauthorized patching of user-mode hooks.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender Elastic major EDR vendor (unnamed)Microsoft Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.