Bypass Record

DLL Side-Loading × Microsoft Windows Defender

A publicly-reported instance of DLL Side-Loading bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

DLL Side-Loading

MITRE ATT&CK

T1574.002

Confidence

High

Severity

High

Status

poc

Disclosed

2026-03-08

Config / version noted

Not stated

Provenance

cybernoz.com
disclosed 2026-03-08 · original source · via exa

Reported as

bypasses Defender's self-protection without requiring vulnerable drivers

Mechanism

Create a directory symbolic link in 'C:\ProgramData\Microsoft\Windows Defender\Platform' with a name representing a version higher than the current Defender version, pointing to an attacker-controlled folder containing a copy of Defender's executables. On reboot, the WinDefend service selects the highest version folder (the symlink) and executes from the attacker's writable path, allowing code injection or service tampering.

Detection & mitigation

Monitor for creation of symbolic links in 'C:\ProgramData\Microsoft\Windows Defender\Platform' with names that appear as version numbers higher than the legitimate Defender version. Enforce SACL auditing on the Platform directory to log symlink creation, and use endpoint detection to alert on WinDefend.exe loading DLLs from non-standard or writable paths.

DLL Side-Loading has also been recorded against

eScan ESET McAfee SentinelOne Xcitium Zabbix

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.