EDR Unhooking × major EDR vendor (unnamed) EDR product (unnamed)

A publicly-reported instance of EDR Unhooking bypassing major EDR vendor (unnamed) EDR product (unnamed), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

major EDR vendor (unnamed) EDR product (unnamed)

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2024-06-11

Config / version noted

Not stated

Provenance

medium.com
disclosed 2024-06-11 · original source · via exa

Reported as

successfully evaded detection by a major EDR vendor

Mechanism

The malware bypasses EDR user-mode API hooking by restoring the original syscall stub from ntdll.dll (unhooking) and then invoking system calls directly, avoiding the EDR's instrumented functions. This defeats behavior-based detection that relies on hooked API calls.

Detection & mitigation

Monitor for processes that read ntdll.dll from disk and overwrite in-memory API stubs (e.g., via WriteProcessMemory or NtProtectVirtualMemory) to restore original syscall instructions. Deploy kernel-mode callbacks (PsSetCreateProcessNotifyRoutine, ObRegisterCallbacks) and ETW-based syscall monitoring to detect direct syscall invocation patterns that bypass user-mode hooks.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike Elastic Microsoft Palo Alto Networks SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.